Data breaches occur so frequently that it wouldn’t be surprising if the average American is becoming desensitized to them. It would be even less surprising if they’ve failed to notice that breaches are happening more frequently as cyberattacks increase in number and ferocity during the ongoing COVID-19 pandemic – which security firms have linked to massive upswings in ransomware, DDoS, and other cyber activity.
But organizations simply can’t afford to take these threats lightly. For example, just last week, home improvement juggernaut, Home Depot, found themselves on the wrong side of a $17.5 million settlement resulting from a multi-state investigation of their 2014 data breach. And that pales in comparison to the $575 million settlement that credit reporting agency, Equifax, paid as a result of their 2017 data breach.
It’s clear that – with the cost of a breach so high – organizations need to get serious about security. And that means getting serious about securing one of their largest vulnerabilities – their applications and software.
According to Matthew Chiodi of Palo Alto, “…over the past five years, out of all published vulnerabilities, 76% were from applications.” If more than three-quarters of vulnerabilities are from software and applications, application security needs to be among the top priorities across every organization, enterprise, and government agency.
Unfortunately, security and application development teams have never really worked hand-in-hand. In fact, it’s a relationship that – according to a new eBook from CloudBees – has traditionally been a bit contentious:
…security and compliance remain critical to businesses’ survival. Yet, enterprise security teams – with their more conservative approach to risk mitigation – are still perceived by DevOps teams as the “release prevention department.” Meanwhile, security teams view DevOps’ increased release velocity as a threat to governance, security and regulatory controls.
Ultimately, security teams are concerned that the rapid development and accelerated release schedules that development teams are embracing in today’s world of microservices and agile development are coming at the cost of security. And the application development teams view the security teams as a giant hurdle or bottleneck, coming in at the last minute to throw a wrench in their deployments.
To overcome, this, organizations are looking to not just shift security to the left, but bake security processes and technology into the core automation and DevOps practices they employ across the entire software delivery lifecycle. This complete DevSecOps approach enables organizations to discover more issues prior to release, detect and prevent drift, and elegantly respond to post-release issues.
What the CloudBees eBook ultimately finds is that – when done right – DevOps delivers nine key application security benefits to the organization. Here are the first four from the eBook:
Secure from the Start
Security must be integrated from the early stages of DevOps processes, and not remain a separate activity at the very end of the software delivery pipeline. It becomes a quality requirement similar to other tests run as part of the software delivery process. Just as continuous integration enables “shifting everywhere” by accelerating testing and feedback loops to discover bugs earlier in the process, DevOps processes “shift security everywhere” by incorporating automated security and compliance testing, while also enforcing the use of approved components.
As more and more tests and processes are automated, there is less risk of introducing security flaws due to human error. Tests become efficient and can cover more ground, and processes are more consistent and predictable. So, if something does break or an insecure component sneaks into the pipeline, it’s easier to pinpoint and fix the root cause of the problem and ensure compromised code never makes it into production.
In using tools that are shared across the different functions –and managing their usage with a single, secure pipeline orchestration platform that spans development, QA, and operations — organizations gain visibility and control over the entire systems development life cycle. The automated pipeline becomes a closed-loop process for testing, reporting, instantly mitigating, and resolving security concerns.
Improve Communications and Eliminate Blame
By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy updates, information security (InfoSec) becomes a key component of the delivery pipeline and an enabler of the entire process. With everyone on the same page and using the same pipeline, Security, Development, and Operations teams share a common language and have a common understanding of the situation. In turn, post-incident finger-pointing is replaced with incremental fixes to the application code and the pipeline that address concerns as they arise.
Fix Things Quickly
Unfortunately, the occasional security breach or vulnerability may happen, requiring quick action to resolve the issue. Mean Time to Detect and Mean Time to Repair are two key metrics for measuring resilience. Closing the time lag between detection and remediation is vital. Tracking the state and locations of all components, applications, environments, and pipeline stages greatly simplifies and accelerates reporting and correction. Having the ability to turn off the vulnerability instantly, without a rollback, gives even more time to develop and release a fix.
To see the rest of the nine security benefits that DevSecOps can deliver to organizations, click HERE to download a complimentary copy of the eBook, “9 Ways DevOps and Automation Bolster Security and Compliance.”