Traditional product security tools and practices can’t keep up with today's standards of continuous delivery and release velocity in cloud native environments. Shift left-tools are needed, but aren't enough to allow agile security without compromising on velocity. This articles looks at how the modern DevOps function will mitigate these challenges by embracing a unique agile-security approach.
To better understand the role of DevOps in the modern organization today, with regards to running agile security, we must first look at two significant trends:
The first relates to what we call Cloud Transformation and its role in bridging the gap between agile in theory and in practice; the second relates to continuous delivery practices that are now gaining traction, especially in modern software-based organizations such as startups, which are driving the demand for “shift-left” solutions.
How are these trends related? In short, traditional product security tools and practices can’t keep up with today's standards of continuous delivery and release velocity in cloud native environments. Shift left-tools are needed, but aren't enough to allow agile security without compromising on velocity. The modern DevOps function will need to mitigate these challenges by embracing a unique agile-security approach.
This course of action will support the development and deployment velocity of products that are more secure and are less exposed to cyber threats.
Let's take a step back for a moment. DevOps was originally created as the combination of cultural philosophies, practices, and tools that increase an organization’s ability to deliver applications and services at high velocity.
But DevOps dominance and infrastructure-as-code have also created new challenges. Integrating security into the DevOps pipeline is one of them.
with time, it became clear that as DevOps focused on velocity, deployment and other tenets, security often became an afterthought and was commonly neglected. Moreover, traditional security practices and tools didn’t seem to keep up with the pace; it seems that they just don’t fit well into an agile development process.
The result is that, today, the upside of continuous delivery is simultaneously a downside as it can lead to security vulnerabilities.
Will Kapcio, a solutions engineer for HackerOne said in a recent conference: ”83% of chief information security officers (CISOs) see software vulnerabilities as a threat to their organizations, nearly two-thirds of security teams are playing catch-up with the modern software development life cycle (SDLC) and falling behind.”
Houston, we have a problem…
I use the term ‘startup’ because in our organization we have an ‘innovation hubs’ attitude, that some of our new projects are launched, and behave just like a start-up environment
In order to maintain agility without compromising on security, DevOps (or DevSecOps) teams must develop an agile product-security culture in the organization. There’s no other option.
Think of agile DevOps security as the evolution of product security in the startup era: Its goal is to increase the high velocity development of software while reducing costs at the same time, by ensuring a minimal baseline of security. Security needs to be an integral part of all SDLC phases, from design and architecture, development and tests, to release, deployment, maintenance and beyond.
The main challenges that this function will need to tackle are:
“Security isn’t about reducing risk to zero. It’s about continuously rebalancing risk as context shifts” - source
As we continue to embrace agile development and shift-left tools, it will be crucial for developers to interact with product and cloud security in a seamless and smooth manner. Infrastructure-as-code and security-as-code will give developers and operation teams the ability to manage every part of development continuously.
When security ‘shifts left’ within the product lifecycle and in cloud environments, teams can profoundly impact the security level of the products with much less business friction.
“I strongly believe security must be at the service of the business. When the business screams for modernization, as it does with DevOps, security must follow and support the transformation, not hold it back,” - a quote by Julien Vehent in his book ‘Securing DevOps, Security in the cloud’ (Highly recommended !)