Cybersecurity is a more important field than ever before in a hyper-connected world and DevSecOps is here to tackle it head on. Cyber-attacks are the 6th most potentially devastating world event (behind items like weapons of mass destruction and extreme weather events) and the 5th most-likely-to-happen event (behind data fraud/theft and failure of climate change mitigation) according to the World Economic Forum’s Global Risks Report 2019.
This isn’t just scaremongering. This is a real threat, on a global level.
And on a local level? Well, according to PwC’s 2018 report, The Global State of Information Security: The Australian Story, only 36% of Australian businesses have an overall information security strategy, lagging behind the worldwide average of 56%. The report also uncovers that 74% of clients are prepared to switch vendors in the event of a data breach.
Here we have a potentially toxic combination for software product vendors and development houses: businesses that are perhaps unprepared (or at least underprepared) for cyberattacks, and clients that might just take their business elsewhere in the event of a breach.
This means that software development houses need to take inbuilt security very seriously. If clients aren’t willing to fortify their own systems to ideal standards, then you better make absolutely certain that software is built as secure as possible – or you’ll lose business.
How do we do this?
We talked to some of Australia’s foremost DevSecOps professionals in business to hear their thoughts about the future of this practice: Hannah McKelvie, DevOps & Code Security Manager at Telstra, Adrian Ludwig, CISO at Atlassian, Yuri Melo, Director of the Advanced Security Centre at EY, Jason Ellul, Director of Technology, APAC at Contino, and Bill Hamawi, DevOps Manager at Plutora.
DevOps: The birthplace of DevSecOps
Just 10 years ago, a buzz was building. DevOps, the intersection of software development, automated testing and building, and rapid delivery was garnering worldwide interest. It was an exciting time to be talking software development – at least if you were in the managerial space.
Developers themselves were more cautious about this new development and delivery automation pipeline. Would it really work? Was this just another case of managers barking out the latest “it” word, in an attempt to try and hurry up the process?
As it turns out, DevOps is now getting to be a more mature field and can work magic for the software development and delivery pipeline – if implemented correctly, with a strong internal culture and practices built to facilitate the process.
It’s this implementation that can be done poorly – and that can make both developers and managers alike still wary of DevOps from an overarching perspective, although they still may swear by tools and workflows that are inherently DevOps.
For those with a more mature DevOps workflow, it’s time to look at injecting security into the system – with automated processes for ensured compliance.
“DevSecOps is a branch off DevOps with security principles at it is core function and purpose.” – Hamawi.
The developer’s role in cybersecurity
Melus suggests that “a solid understanding of common security issues can be obtained easily by proactive developers and standard security development patterns can be easily deployed.”
That proactive word is tricky, though. Melus makes a good point by saying, “Security vulnerabilities can be introduced easily by developers who are not aware of cybersecurity issues.” This is even true in the case of a highly trained DevOps engineer.
The role of the developer in cybersecurity isn’t always clear unless it’s outlined specifically with an onus from above, so codifying security into developer practices and workflows is important if security itself is important. In short, a developer must know exactly what to do to code securely, or they won’t.
If we do this, the developer may be bound to building secure by design, following various coding security best practices, such as using a verified version of an external library, thorough testing (e.g. through code quality tests), etc.
At Atlassian, they’re making it easier for developers to spot security flaws, through implementing DevSecOps tools. Says Ludwig, “We’re doing a lot of work to make sure our security tools are integrated directly into the developer workflow — so that a developer can find out about a potential security issue at the moment they write the code, rather than waiting until after the code goes into production and security testing is completed.”
“We’ve had to build a process that provides a lot more, smaller security checks. This is done with a combination of tooling, automation, and continuous monitoring to help our engineers ship more secure code.”
“For example, we’ll scan source code directly within the developer workflow and notify the developer when they go to check-in code.”
This automates security within developers’ workflows, so they don’t have to remember to do manual security checks.
Why do we need security in DevOps procedures?
Melo outlines why there is a critical need to inject security into the DevOps process: “As DevOps procedures make the deployment of applications faster, waiting until the end of a development sprint can be too late to address security vulnerabilities.”
While traditionally, security checks were done at the end of software iteration, we need it baked in, like how continuous testing and deployment is now baked in (with DevOps).
He goes on to say that by doing this, “DevOps procedures with security considerations brings security awareness to the developer teams, builds a security conscious culture and strategically improves end-to-end security coverage.”
Or, as Ellul puts it, “DevSecOps builds on the idea that cross-functional teams must work together and builds on the mindset that “everyone is responsible for security” with the goal of distributing security decisions at speed and scale in a safe and controlled manner.”
DevOps without inbuilt security is bound to either cause delays in the Continuous Integration / Continuous Deployment/Delivery pipeline or cause insecure code to be shipped. And that is why that ‘Sec’ is so important for DevOps.
Building a secure continuous delivery pipeline
With more and more businesses switching over to DevOps practices, this now “requires close collaboration between Security and DevOps teams, looking at shared accountability as a strategy for meeting the goal of Security at Speed,” as McKelvie says.
On a basic level, Hamawi notes the necessary steps for introducing DevSecOps to the workplace:
- The team needs to be transparent with each other and understand each team’s limitations and their functions.
- Make sure that the right people are empowered to deliver projects with the correct amount of visibility.
- Have a diverse toolbox that allows employees to correctly function together
What does this look like in practice?
Ellul further elaborates how to start the process:
- “Identify the mandatory legal, regulatory and organisational obligations – these will define your mandatory security control requirements.
- Start by adding security controls in the application and infrastructure layers; specifically choose an area that is your greatest pain point.
- Test these controls continuously in an automated manner. Don’t be afraid of initial failures, this is to be expected!
- Identify senior developers within the team that have a vested interest in security and influence them to become a security champion. Empower this champion to make security decisions that align with internal and external controls and mentor the wider team.
- Measure KPIs: “live and die” by metrics”
McKelvie explains how they began the shift to DevSecOps at Telstra: “Initially, we incubated our Security SMEs into the DevOps teams and had people co-located to provide real-time security advice, governance, and skills uplift.” Following this initial stage, skills are strengthened by “working with all our DevOps teams to find people who are passionate about improving the quality of their solutions, specifically with respect to security,” enrolling these key staff into their inhouse Security Champion Program.
Melo also notes existing processes that can be implemented now and that will become more prevalent among businesses in the future: “The use of automated solutions such as Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) will increase to provide developers with a faster feedback loop to close security vulnerabilities early.”
Why DevSecOps is the future of security
“In order to compete in the digital economy, organisations are increasingly competing on time-to-market and with the growth in Agile environments, organisations need to facilitate high-speed solution delivery.” – Melo
Simply put, DevSecOps makes business more efficient and thus more competitive.
Ellul outlines the follow key outcomes that have a “direct business value and can help drive increased Return on Investment”:
- Focus on availability architecture helps increase uptime and the availability of the service
- An increase in deployment speed and frequencies
- Lower number of tickets opened (due to reduced security related issues)
- Fewer security-related delays (build time)
- Fewer security findings (build time)
- Less time spent resolving security issues
- Faster response to security incidents
While the essential software developer skills in 2019 include experience in Agile development, Agile will certainly see more security focus in the future, as a natural evolution towards DevSecOps as standard for software development.
For those looking to break into the industry, learning a top programming language will still be highly relevant, but it will need to be put into practice within a security-focused development and deployment environment. Cybersecurity jobs with a focus on infrastructure-as-code from an enterprise-wide perspective will be critical for successful business operations.
It’s going to be a brave new world in the software development space. Be prepared for an exciting future and get involved with the DevSecOps movement.