As I discussed in my last piece on the GovDevSecOpsHub, the DevOps approach to software production helps to foster faster creation of applications with a higher degree of availability and reliability. By encouraging collaboration between development and operations teams and making it easier to address requirements earlier in production, DevOps does away with much of the traditionally staged nature of development, not to mention a good deal of frustration that comes with “chucking applications over the wall” between two or more siloed organizations.
This movement from traditional application development to the DevOps approach to application development has had both positive and negative impacts on the cybersecurity of applications. The movement towards DevOps, the embrace of Agile software development methodologies and architectural movements towards microservices has rapidly expedited software and application development. And that’s important from a cybersecurity standpoint because software ages like milk rather than wine.
Hackers are constantly prowling and scoping out vulnerabilities in your software and cataloging them for future use. And the longer software has been available, the more vulnerabilities that have been identified. When applications took six months to a year to patch or update, users could be waiting a long time until a vital security update was available for vulnerable applications.
The acceleration of the software development lifecycle has helped to ensure vulnerable software patches are available sooner. However, speed kills. There are other cybersecurity challenges that can arise when application development is moving quickly. The single largest is human error. As people work and move quickly, they make mistakes and develop applications with vulnerabilities.
And this is a problem because a vulnerability in one part of an application can give malicious actors the opportunity to move laterally across a network. Therefore, cybersecurity vulnerabilities in anything, even the firmware of IoT-connected thermostats, are an open door to everything from the theft of sensitive information, DDoS attacks, and ransomware. That’s why it’s essential that cybersecurity professionals get involved — and that’s exactly what the DevSecOps approach to application development looks to accomplish.
Moving security to the left
When I worked with a very large and well-known wireless carrier, we were moving quickly to develop and deploy some exciting new applications. We were following the best practices that are laid out in a DevOps approach, embracing Agile software development and microservices to help us move and develop quickly. We would get something finished and be incredibly excited to deploy it, and then have it stopped dead in its tracks right before release because the organization’s cybersecurity officers—who were not brought in until near the end of the production cycle—had found vulnerabilities.
Our teams were frustrated. Not at the security professionals that were just doing their job and protecting our customers — but at the process, which had us get all the way through application development before any security testing was completed.
The DevSecOps model is an answer to this problem. Just like how the DevOps movement brought the operations team’s requirements further to the left, baking them in from the earliest stages of development, security also needs to be involved at every step in the process. This is the best way to ensure that applications are developed with a high degree of reliability and availability as well as a high degree of security. And it also ensures that they’re developed and deployed more quickly.
This need for robust security is only going to grow as threats continue to evolve, and the pace at which security updates are released is only going to accelerate. So the need for early, rapid, continuous—even automated—testing early on in the process, is going to become more important, both to ensure that cybersecurity vulnerabilities are fixed and that such a rapid turnaround of software doesn’t create new ones.
Embracing a DevSecOps culture to software development is a foundational way to address these concerns—both for today and for tomorrow.