Cybersecurity’s Emerging DevOps Challenge in 2020
Security teams have to shift left and enable automation to remain relevant in DevOps.
Join the DZone community and get the full member experience.Join For Free
As cloud technologies evolve and businesses jostle to become Agile, it’s time for cybersecurity to join the evolutionary race. Virtualization enabled physical data centers to transform, and cloud-based operating systems and application infrastructures served as the foundation for developers to access software resources without the headache of managing infrastructure.
However, cybersecurity has yet to take the bold step forward in line with the rest of the IT world. Security teams are expected to fight barehanded against hackers and malicious actors. Their traditional weapons such as firewalls, IPs, and host-based security tools are obsolete in the cloud, and cloud security tools that are meant to replace them are largely ineffectual.
You may also enjoy: Securing DevOps
In practical terms, while all the rest of the organization has stepped forward, IT security has been pushed back a decade. Leading cloud vendors provide little more than basic routing and packet filtering, while even basic firewalls comprise IPS/IDS, user awareness, layer 7 awareness, and more. Cybersecurity teams have only two applicable control planes: app security, and data security.
Challenges in App Security
Led by Microsoft’s SDLC and OWASP, organizations have been trying to absorb app security techniques into their product lifecycle for years. The biggest challenge isn’t finding the right security tools, but increasing the security-consciousness of developers. There’s no tool to compensate for a lack of app security, which inevitably opens a gaping hole in cloud security overall. It’s time for security teams to take things to the next level — by overseeing a change in security mindset.
The Bold Next Step for Cybersecurity Teams
CISOs today have no choice but to rethink their entire security strategy in order to drive security upstream and establish new security-focused partnerships. The decay of traditional security tools has brought a corresponding failure in the traditional security system. It’s time to embed security as part of the development process, rather than retaining it as a separate department. Baking security into the app CI/CD cycle raises app resilience, decreases vulnerability, and improves app stability. However, it’s easier to describe than to achieve; baking in security measures means engaging the entire DevOps team with a new, competing objective.
Advancing to Automated Security
Developers and programmers never liked to have to slow down the release process by going through security, but in the past, they had no choice. They had no way to install servers or configure firewalls without the assistance of security teams, so they accepted the severe production delays caused by manual security checks. Set against a background of waterfall development and annual product release cycles, the delay was bearable.
However, new CI/CD methodologies together with Agile development practices enable organizations to bring updates to market astonishingly fast. Now that DevOps teams can release new app versions every couple of hours, they can no longer put up with the extra wait for slow, manual security checks.
Automation is a vital factor in the speed of DevOps teams, but security teams are stuck with cumbersome manual security measures that are slow to respond to threats. For security to keep up with development and operations, it needs to join the shift to the left and adopt similar automation tactics that spread security measures throughout the product lifecycle.
Why Security Needs to Shift Left
By shifting to the left, security teams can play an active role in the CI/CD process, reducing the need for obsolete traditional security controls. Shift left means that security teams can gain new insights, add value, and embed security controls at each iteration, providing flexible and Agile security coverage that bypasses the need for network and infrastructure control planes.
For example, security teams can enforce boundary protection by defining and managing an identity for every component in each app, instead of relying on IP addresses or networking segments. This allows app components to freely interact with each other according to business need, supporting Agile business practices without compromising on security. Shifting left can also include automated code scanning and secure code libraries that permit faster coding.
By shifting security measures left to permeate the entire CI/CD pipeline, security teams can verify secure deployment without slowing it down with manual approval processes. As long as an action falls within the bounds of predefined security policies, there’s no need for DevOps personnel to wait for security approval.
Collaborating on Continuous Security
Cutting edge continuous security relies on strong collaboration with development and operations teams, forming a new conglomeration of DevSecOps. Each team contributes information that’s vital for effective security. By combining all the information, the security team can create a blueprint for a secure app. This serves as a whitelist of interactions, functions, and methods, which is faster and more efficient than the traditional blacklist model.
By creating a new DevSecOps taskforce, organizations can decentralize security management and oversight. Predefined security guardrails for different projects enable DevOps personnel to work freely without needing to acquire specific permissions for every action, lowering friction and raising security posture while supporting a faster time to market.
Cybersecurity sits at a crossroads. It can either adapt to the Agile business landscape by shifting left, embracing automation, and joining the DevOps approach, or it can continue to feebly attempt to enforce obsolete security measures that add friction to the product lifecycle, hold back the business, and compromise security. Without taking the final bold step to shift left, teams will be at risk of writing themselves out of a job.
Opinions expressed by DZone contributors are their own.