Playing Offense in the Name of Application Security
August 11, 2020

Christian van den Branden
ZeroNorth

Digital transformation isn't just changing how businesses compete in the marketplace. It is changing how companies operate, especially with regards to security. Traditional models are being pushed aside to make way for more expansive thinking — and that includes a cultural shift within the classic DevOps model.

As one of the core enablers of digital transformation, DevOps integrates digital technology into all aspects of business process, culture and customer experience. It is a philosophical approach to software delivery that empowers collaborative development, team autonomy while speeding time to market. DevOps encourages innovation, promotes a competitive edge and reduces cost without sacrificing velocity or quality. It is a set of practices that can help you optimize an organization's method for developing software through each step of its lifecycle. This sounds great, but it is not always easy to achieve.

Making the Right Moves

To ensure that security is successfully integrated into the DevOps model — and risk is properly addressed — you will need to do more than just embrace the concept of DevOps. You will need to assume an offensive position. And no, this isn't just another sports analogy. Thinking proactively is key to empowering business teams and improving application development. Because when you assume an offensive stance in software development and vulnerability management, you immediately gain more control over the triad of security, risk and compliance.

The time is now to play offense in security. Part of this challenge is uncovering what this really means and how it can be achieved. Effective management of security, risk and compliance in DevOps, as well as the various teams involved, cannot come at the expense of control, consistency and accountability. While these are not the first words that spring to mind when considering DevOps models, they offer some important guidelines on how to approach security with a clear, offensive strategy.

Control

As DevOps continues to evolve as an alternative to traditional waterfall and a natural extension of agile development, there is a risk that security be left behind. To give yourself more control over security and risk management, it is important to make a proactive shift into DevSecOps. This security-enhanced mindset supports the notion of integrated security from the start, a continuous cycle much like an infinity loop, with each phase flowing into the next. Without a closed-loop process, risk managers have no way to validate remediation. Proactively incorporating security earlier in the process creates shorter feedback loops and eases complexity, enabling engineers to find and fix issues more readily.

But we all know, building perfectly secure applications isn't possible. That is why leaders must balance the need for speed and security by embracing the iterative nature of Agile, where progress can be made incrementally over time. Although this may not feel like control, this type of collaborative workflow preserves the teamwork, agility and speed of DevOps while allowing security to integrate at multiple points in the software development lifecycle (SDLC). And the earlier security is introduced into the SDLC, with scanning tools in place at every phase, the more control you have over your application security and vulnerability management program. Without an offensive plan, security will only get harder.

To achieve this without hampering the velocity of teams, it important for your toolchain to give you the ability to centrally define and manage security policies, but enable teams to apply them programmatically within their pipeline.

Consistency

Developers often rely on basic security tools to build applications, but there are no consistent DevOps processes for security testing, and point security tools often fall short of expectations. This means applications may well be deployed into production with critical vulnerabilities — at which point, they are much harder to find and even more expensive to fix. To achieve consistent testing, there is a need to incorporate multiple application security tools and orchestrate their execution within the development process. This will help companies build and deliver applications that are more secure from the outset and support them in effectively meeting business, customer and governance demands.

Consistency in DevOps is also about driving quality standards. To push out top-notch software, as quickly and affordably as possible, you need comprehensive, continuous and accurate visibility into where risk lies — and how it might impact the business. This comes from testing, early and often. Automating your testing to run continuously in deployment, instead of performing manual operations, allows teams to utilize static and dynamic analysis (SAST and DAST), as well as software composition analysis (SCA) for control over open source components, to gain better visibility. Orchestrating these testing processes within a continuous integration and delivery (CI/CD) pipeline is the way to consistently enforce an application security program without impacting the autonomy or velocity of the teams.

Accountability

DevOps isn't all about playing nicely with others. It demands real accountability, especially when things go wrong. Who is ultimately responsible for security in such a model? And how does this accountability question affect the delivery of reliable software? In keeping with the DevOps mentality, both delivery teams and security practitioners play a role in keeping software secure. But when everyone is accountable, sometimes no one is accountable — especially as the size of a company grows.

Without the right tools and processes in place to support the DevOps journey, chaos ensues. This is where proactive, offensive action comes in. Teams cannot gain the visibility they need without the proper tooling and an efficient process in place to know who is responsible for addressing security issues. This is why organizations must begin to focus on adopting tools that optimize visibility into their applications. As more businesses transition into a DevOps mindset, the need for well-defined roles and processes will become increasingly valuable.

This level of accountability happens in the build functions themselves. By creating a loop of constant feedback, where software can be built, analyzed and tested by cross-functional teams — and with automation speeding up the entire delivery process — people can begin to rely on systems for better security. This level of tight integration among development, operations and product security is key to reaching your business goals because it ensures the delivery of a secure product. But many organizations say breaking down walls and building bridges of shared accountability in DevOps is a struggle, both to understand and to implement. The key is to operationalize this within the toolchain itself, leverage ChatOps for alerting, and use reporting capabilities for inspection and review.

Takeaway

All organizations are under pressure to deliver value faster. DevOps is transformational and allows organizations to achieve this goal. In the same vein as quality, application security is not optional. Compromising on security exposes a company to risk, of intellectual property, customer data and/or brand integrity.

The key to ensuring application security happens, without scaling back the velocity of the organization, is to be proactive and offensive. To do so, you will want to apply the mindset of DevOps to your application security program. By investing in the proper tooling, you gain the ability to centrally define security policies but enable teams across the organization to apply them programmatically through automation and orchestration, right within their delivery pipelines.

Using ChatOps for alerting and reporting capabilities to assess the overall risk posture allows organizations to meet their security requirements without impacting the velocity of their teams. It allows them to accelerate software delivery by speeding up the discovery and remediation of security vulnerabilities while offering customer value — quickly and securely.

Christian van den Branden is SVP Engineering at ZeroNorth
Share this

Industry News

November 24, 2020

Red Hat announced new capabilities and features for Red Hat OpenShift, the company's enterprise Kubernetes platform.

November 24, 2020

Sectigo released Chef, Jenkins, JetStack Cert-Manager, Puppet, and SaltStack integrations for its certificate management platform.

November 24, 2020

DataStax released K8ssandra, an open-source distribution of Apache Cassandra on Kubernetes.

November 23, 2020

Spectro Cloud has released a new, self-hosted version of its flagship product, Spectro Cloud.

November 23, 2020

GitLab completed integration of Peach Tech, a security software firm specializing in protocol fuzz testing and dynamic application security testing (DAST) API testing, and Fuzzit, a continuous fuzz testing solution providing coverage-guided testing.

November 23, 2020

Fugue announced the availability of its SaaS product in AWS Marketplace, further simplifying the process for Amazon Web Services customers to use Fugue to bring their environments into compliance quickly, demonstrate compliance at any time, and Shift Left on cloud security.

November 19, 2020

Rollbar announced AI-assisted workflows powered by its new automation-grade grouping engine.

November 19, 2020

Buildkite expanded its integration with GitHub and introduced a new onboarding experience.

November 19, 2020

Rancher Labs launched a new Partner Program for the OEM and embedded community.

November 18, 2020

Puppet announced its evolution to an integrated automation platform to enable key business initiatives such as scaling DevOps, risk reduction, policy as code, and evolving cloud strategies.

November 18, 2020

Adaptavist has joined the GitLab partner program as a Select partner.

November 18, 2020

Postman launched the beta version of public workspaces, a hub that makes it possible for both API producers and consumers to seamlessly communicate and collaborate in real time without team or organizational boundaries.

November 17, 2020

Red Hat introduced new capabilities for Red Hat Enterprise Linux and Red Hat OpenShift intended to help enterprises bring edge computing into hybrid cloud deployments.

November 17, 2020

Humio announced the availability of the Humio Operator.

November 17, 2020

Accurics announced that Terrascan, the open source static code analyzer that enables developers to build secure infrastructure as code (IaC), has been extended to support Helm and Kustomize.