BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles DevSecOps: the Key to Securing Your Supply Chain in a Multi-Cloud Threatscape

DevSecOps: the Key to Securing Your Supply Chain in a Multi-Cloud Threatscape

Bookmarks

Key Takeaways

  • Taking a look at recent supply chain attacks as a litmus test for the state of DevSecOps, we can see a definite need for an improved security framework in DevOps.
  • With increased focus on cybersecurity and a surge in IT security spending, businesses should first reevaluate their approach to DevOps.
  • DevSecOps is all about: leveraging your CI/CD platform and containers, increasing testing and scanning across the SDLC, and minimizing manual security measures with AI/ML.
  • This shift left may require a full organizational shift across several business units, but overall security posture will drastically improve rather quickly.
  • Businesses that employ a DevSecOps framework will not only bolster breach prevention, they will add business value as they deliver safer products and services that better protect their businesses and customers.

DevSecOps meets the moment

With several recent supply chain and cloud attacks, businesses are now looking to developers to strengthen enterprise security.

Due to the rapid shift to remote and hybrid work models, we have seen an explosion in cloud adoption and digital transformation across all sectors. This transformation is not inherently bad, but companies must keep in mind – the more services they use, the more vulnerabilities and risks they will be exposed to. With more exposure to vulnerabilities, companies are finding they need new approaches to security. Gartner forecasts that in 2021, worldwide spending on information security and risk management technology and services will grow 12.4% to reach $150.4 billion.

You may be thinking – but today’s enterprises already have several security processes in place, as well as vendor risk management programs. You are correct, companies possess several programs and partners designed to help enterprises and customers feel good about a company’s security posture. Until now, that is what enterprise security has largely been about – going through the motions and checking off boxes. This will never make a company truly secure. In fact, missing or inadequate vendor risk management may be the most serious threat to companies today in terms of supply chain security.

With 2021’s cybersecurity reckoning, there has been a shift, perhaps due to the stakes in cloud being higher than ever. Businesses are feeling the pressure to prioritize and spend on more modern security. Gartner found that among CIOs in 2021, cybersecurity is the top priority for new spending.

GitLab Inc’s latest annual DevSecOps report found that in 2021 the majority of IT and security practitioners will focus their investments on the cloud, followed by AI. Before businesses run to vendors to secure themselves and their customers, they should evaluate what practical, proactive steps they can take internally, beginning with DevOps.

There was a time when developers and business leaders rarely had to consider security – they left that area of expertise to CIOs and security teams. Even though we have been catapulted into a multi-cloud environment, cloud security and compliance issues still tend to be afterthoughts, according to PwC’s Cloud Business Survey. The good news, according to the survey, is that the entire C-suite, not just CIOs, are beginning to take responsibility for cloud security and organizational security in general.

With modern expectations of go-to-market speed, today’s security leaders are pumping the brakes on rapid development and looping developers into security. As developers rushed code through CI/CD pipelines, businesses found that security tests and checks can often be bypassed, inadequate, or even compromised. They’re still grappling with this dilemma, looking for the right answer.

Enter DevSecOps – a framework that is much more than a buzzword or a momentary trend. I would argue that DevSecOps is on its way to becoming synonymous with DevOps, because security is expected of today’s developers more and more. At GitLab Inc, we define these components as key to a DevSecOps end-to-end security framework:

  • Application security testing and remediation: Employing a host of scans like SAST, DAST, and secrets detection
  • Cloud-native application protection: Using Kubernetes clusters and container scans to identify vulnerabilities and protect your applications
  • Policy compliance and auditability: Meeting license compliance standards through continuous documentation and transparency
  • SDLC platform security: Creating code on a industry-leading CI/CD platform that prioritizes and meets IT security standards

A business’ primary objective is to create a lucrative and successful product or service, with hopes of becoming a market leader, but we are seeing that security will separate the good from the great among tomorrow’s enterprises. In order to avoid major breaches, like the recent Kaseya, Colonial Pipeline, SolarWinds and JBS supply chain attacks, it’s critical that all leaders take a deeper look at their security processes and become active participants in security initiatives. Leaders are not aligned and unified on the importance of security, and this is where they have to start if security is to improve across an engineering and product organization.

The State of DevSecOps

Research indicates that developers are adopting a security-first mindset, but there is still a need for more security and IT collaboration, proactive frameworks, and increased use of AI/ML tools.

GitLab Inc’s annual DevSecOps report found significant increases in security among organizations that use DevOps. In fact, 72% of security professionals rated their own organizations’ security efforts as "good" or "strong." Plus, DevOps teams are running more security scans than ever before: over half run SAST scans, 44% run DAST scans, and around 50% scan containers and dependencies. All of this points to a growing industry embrace of the DevSecOps approach. In fact, 70% of security team members say security has shifted left.

However, there are still roadblocks on the way to integrating security and DevOps. Over three-quarters of security team respondents continue to think developers find too few bugs, and find them too late in the SDLC. On DevOps teams, 42% of respondents feel security testing is happening too late in the process and almost 37% said tracking the status of bug fixes is challenging. All of this indicates a reactive approach to security in the development process. Developer and security teams tend to stay in their respective areas of expertise, then react when a breach or vulnerability arises.

To reduce manual testing and scanning, DevOps practitioners are beginning to tap AI/ML tools and technologies. GitLab Inc’s DevSecOps survey found that 1 in 4 respondents claimed to have full test automation, up 13% from 2020. The survey further found a dramatic jump in the use of AI/ML or bots for test and code review. 75% of teams are already using or planning on using this new technology, up 41% from 2020. CI/CD platforms are ramping up their ML capabilities for a smoother, more secure DevOps process, and the use of these tools will only grow more ubiquitous in the coming years.

While some progress has been made since DevSecOps hit the mainstream, companies will not have successfully adopted DevSecOps until they begin approaching security with a proactive mindset. As security and IT align on a singular vision, successfully execute an agreed upon strategy, and modernize and secure their workflows, they will grow to be less reactive, more proactive, and more synergistic.

Overcome the Barriers and Employ a DevSecOps Framework

As companies continue to move to the cloud, it’s becoming increasingly apparent they should be integrating DevSecOps into their cloud infrastructure. Some pain points will likely arise, but their duration will be short and their payoffs large.

One of the biggest barriers to the effective adoption of DevSecOps is the belief that it will generate friction with go-to-market speed. Today, business success depends on rapid development and fast, iterative releases. Initially, implementing a DevSecOps framework may feel like placing speed bumps throughout your CI/CD pipeline. There is a possibility that new security processes may create challenges for security teams prioritizing security and IT teams focused on moving releases out, but with that ‘friction’ will also come the initial result of DevSecOps implementation — end-to-end security in its infancy. It does not take long after implementation for you to see positive results.

The important thing is to get the ball rolling on DevSecOps. Organizations have to start somewhere. They do not need several security platforms or tools. Businesses can begin right now. And as you develop the DevSecOps framework that is right for your organization, your security practices will have to evolve with your business.

With organizational evolution, scaling is another common pain point for DevSecOps. It can be difficult for an organization to predict the cost of scaling DevSecOps as they scale their business. In addition, tool chains across the cloud have grown increasingly complex, making it difficult to set policies or workflows in one tool and know that they are followed throughout the toolchain. However, these problems could be addressed with the adoption of a single, end-to-end DevOps tool that includes security. A single DevSecOps platform has the potential to enable entirely new methods of detecting and mitigating application threats, while doing so more efficiently than a non-integrated platform.

Organizations can ensure they’re doing due security diligence, strengthening their supply chains, and improving their approach to DevSecOps by:

  • Maintaining dependency visibility to ensure everybody developing software understands its dependencies
  • Leveraging CI/CD pipelines to integrate automatic SAST and DAST testing into the development process
  • Having developers complete vulnerability and dependency scanning as they write their code, before they even commit or merge
  • Implementing automated AI/ML tools to reduce manual security and increase support scanning, monitoring, and reviews
  • Investing in secrets management solutions to improve security in your multi-cloud environment

Bolster Breach Prevention and Improve Overall Security Posture

Major breaches, like a supply chain, ransomware, or cloud attack have long been treated with reactive measures. By prioritizing security throughout the software development lifecycle, teams can catch and address the vulnerabilities exploited in many of these attacks and drastically reduce the risk of a breach.

By shifting security left, leaders can prioritize security testing, leading to faster remediation of vulnerabilities, and allow developers to release code faster.

In fact, this new mode of operation goes beyond shifting left to make security a priority across disciplines and organizational departments. DevSecOps will change underlying business cultures to ones that embrace security and consider the downstream security impacts of decisions. This shift in culture may seem unimportant to security, but the recent increase in major ransomware attacks on national supply chains suggests the current compartmentalization of disciplines is leaving gaps in security, leading to exploitable vulnerabilities.

IT, security, and business leaders must now work together to ensure that their organization as a whole is successful and protected. As more departments take responsibility for security, enterprises can release applications built with security in mind from day one.

In order to become a security-first organization and build out a DevSecOps framework, here are some tangible next steps your organization should take:

  1. Define your KPIs: Take a holistic look at where your business can improve security – assess your vendor risks, compliance requirements, and security gaps. This stage of exploration will define your process, your investments, and where you see improvement.
  2. Rally internally: Across your board of executives and across your teams, you need an organizational prioritization of security. Demonstrate that each piece of the business has a role to play, and the best way you can protect your business is together.
  3. Align on process: Divvy up ownership of security duties across business departments, and be prepared to collaborate with new people within your organization.
  4. Prioritize initiatives: In the beginning, your security initiatives may feel more reactive and focus on immediate needs. Begin by immediately patching up blatant security gaps, then work toward a more proactive, long-term model.
  5. Execute on strategy: Activate and collaborate across your teams, sharing feedback and progress across the organization.
  6. Evolve your strategy: You cannot set and forget security measures. Your protocols and priorities should evolve with your business. Security is like any other pipeline, it needs continuous iterations and improvements.

The transition to a DevSecOps framework will feel like any other organizational shift at first, but companies who embrace the shift will quickly improve their overall security posture. Bolstering security is a business decision that requires buy-in from the entire organization, and it impacts overall business value. Successfully implementing a DevSecOps framework enables companies to:

  • Add business value: Your business will be able to offer safer data, safer products, and a competitive edge, which strengthens your brand and your image.
  • Add customer value: With this framework, you can meet customers’ security requirements and improve your protection of customer data.
  • Maintain compliance: As more industry-standard and government-standard compliance requirements roll out, you will be prepared to meet the demand.
  • Build community: As you prioritize security, you will build trust & confidence with your customers and partners.

Conclusion

The reactive approach to security is a flawed one. With attack surfaces spread wider than ever following the mass migration to the cloud, organizations need to seriously consider the role security plays in their development. The more proactive an organization can be, the better off they and their users will be.

The private and public sectors are taking a harder stance than ever before on cybersecurity. In May, the Biden Administration announced an executive order that aims to create new security standards across the private and public sector. With an increase in cybersecurity standards and reviews, mandatory reporting, and information sharing, enterprises will be expected, even moreso, to give security their due diligence. Companies have always had their own security and customers’ security to consider, but there is an increasing role to play in national security as well. Businesses can’t wait. They need a decisive shift. They need a DevSecOps framework.

This is a moment for IT and security professionals to rise to the occasion. What could a DevSecOps framework or a sharper risk management process have done for Kaseya, Colonial Pipeline, SolarWinds, or JBS? We’ll never know, all we do know is what tangible actions we can take now.

While the industry has been discussing shifting left for several years, it’s time that companies stop paying lip service to the idea and start taking action. The risks are too great: become the victim of a cyber attack, lose out to competition, or lose the faith of customers. Employees, users, and consumers deserve decisive actions that will deliver safer products and keep them protected.

About the Author

Johnathan Hunt, VP of Security at GitLab Inc, has been in the infosec and cybersecurity space for over 20 years and has worked across several verticals including SaaS, financial, telecommunications, healthcare, government and more. He has focused on building or maturing security programs at multiple companies including two Fortune 500’s and multiple startups. Johnathan is particularly passionate about bug bounty, supply chain security and DevSecOps. He has presented at several conferences, podcasts, interviews and blog series on these topics. He holds numerous security certifications and has a master’s degree in information systems.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT