Learning From Data Breaches: Integrating Security in DevOps

On September 6, 2018, airline giant, British Airways, disclosed that the company had suffered a data breach that affected the personal and financial data of approximately 382,000 customers. A similar breach was reported by Ticketmaster in June of 2018, and this month marks one year anniversary of Equifax data breach, wherein half of US population was impacted. A common denominator of all these data breaches is the speed at which code was published. 

In the space of time, it takes you to read this post and finish your morning coffee, a company at the vanguard of DevOps, such as Etsy, Amazon, or Netflix, will have completed yet another deployment — one of potentially thousands per day. Deployment frequency has accelerated to a pace that would have been unthinkable just six years ago, often at the cost of robust security assurance of the code under development. So, the natural question is how companies can effectively scale their security processes to keep pace with the velocity of development we see today? Companies jump into the DevOps bandwagon with an assumption that automation is the sole driver for adoption. However, these data breaches are strong evidence that it takes a blend of automation, cultural change, and the integration of security processes throughout the development lifecycle to achieve effective layered security in such agile environments.

In my view, effective strategies for marrying security and DevOps are not yet being implemented broadly enough. A combination of budget constraints, a lack of awareness of security, and governance best practices and reactive approaches to security are to blame. Technology and business leaders need to carefully assess what changes are necessary to effectively secure their software development lifecycles.

Effective DevSecOps demands that security practices be “shifted to the left” of the product development lifecycle and integrated into each stage of development to identify and address security issues earlier and more cost-effectively than is possible with a traditional, more reactive security approach. This new proactive testing paradigm engages security at the outset of the development process, empowers developers with effective tools to identify and remediate security findings and ensures that only secure commits are ultimately pushed to the code repository.

Beyond these changes, the most effective DevSecOps organizations are capturing continuous feedback from production security tools (e.g. IDS/IPS and RASP) to keep rulesets and policies for application security testing tools up-to-date and relevant to the latest threats. In addition, leading organizations are using interactive developer tools to aid identification of issues by providing tailored training to help developers identify commonly missed issues. Finally, organizations that excel at DevSecOps ensure that they relate security issues to their business context, which showcases security as an enabler rather than an inhibitor of business expansion.

Another key aspect of DevSecOps is infrastructure. Increasingly, legacy, appliance-focused solutions are being supplanted by software-defined networking, hybrid cloud environments (a mix of on-premises, private cloud, and third-party public cloud services with orchestration between all platforms) and network micro-segmentation (fine-grained security policies assigned to data center applications, down to the workload-level). This shift in the prevailing engineering paradigm demands that we should exercise zero trust inside or outside its perimeters, and instead verify any connection attempt before granting access. In addition, discovery, identity and access management and monitoring for perimeter assets become even more important with these changes.