5 Security Principles to Guide Your DevSecOps Journey
Proper security — even full-blown DevSecOps — is no longer seen as a cost center by organizations. Increasingly, it’s necessary for their survival, especially as organizations progressively become distributed across multiple clouds and deployment environments.
Consider what’s at stake without proper security in place: a proliferation of ransomware attacks, rampant vulnerabilities in code that multiply exponentially as organizations scale and more. And yet, we are entering an era of belt-tightening — a time of rampant inflation, layoffs and customers seeking more value for less spending.
A DevSecOps initiative of course, requires a consequential allocation of budget and human resources, and often years of hands-on experience. It will remain an industry-wide work in progress as new technologies emerge to help us get there.
But building such an initiative, no matter your budget, deployment environments, or organization size, should be guided by a handful of principles — precisely, five of them. Here’s what you need to know.
1. Put Prevention First.
One way to think of security is that the process begins from the very outset of an organization’s digital journey. This applies whether you’re heading a startup, piecing together the infrastructure to begin operations while yet not having seen your first $1 million in revenue, or if your organization is more established, but wants to improve on its security practices.
In the worst case, an attack, such as one involving ransomware, can shut down the organization as DevOps teams realize that it is too late to do anything about it. In other words, security should begin as soon as operations begin.
Think of it like the preventative measures you take to keep your body healthy. If you don’t eat properly or get enough sleep, your health risks accumulate over time.
If proper security is not implemented from the very outset of an organization’s IT infrastructure — and shortcuts are taken once vulnerabilities are discovered — it’s hard to ensure safety. The pathogens are already on the loose.
“When you go to the doctor after you’ve been diagnosed with diabetes or another preventable disease … you can realize that it is often too late to remove the main cause,” Ankur Shah, senior vice president, general manager, for Prisma Cloud by Palo Alto Networks, told The New Stack.
“Security is ongoing: Make sure you have your proteins and vitamins in the way of security tools to continue the hygiene across your digital journey, regardless of the size of your organization.”
When proactive security processes iteratively improve prevention capabilities, the impact of a cyberattack is reduced, according to Davis McCarthy, principal security researcher at Valtix, a provider of cloud native network security service.
This can be done in part, he told The New Stack, by building robust cloud network security policies for ingress, east-west and egress traffic to reduce “adversary capability and overall attack surface.”
“Where many organizations lack visibility into security events, prevention decreases the risks of those blind spots,” McCarthy said.
2. Implement Comprehensive Security, from Code to Cloud.
No developer wants to release code that opens doors for attackers — but their job is to release code as fast as they reasonably can. The security team’s mandate is to stop any and all vulnerabilities in code or applications that do not adhere to policy from ever entering the CI/CD pipeline.
However, the seemingly competing agendas quickly dissolve when automated tools and best practices are properly implemented. Code is vetted, scanned and checked continuously at the very beginning of the production process.
In no way should security checks slow down the delivery of software created to improve the customer experience. The earlier an issue is discovered in the development process, the easier it is to fix.
“Developers in general, when they’ve learned how to code, have not necessarily been taught how to code securely,” said Bob West, chief security officer, Prisma Cloud for Palo Alto Networks. “And on top of that, their general mission is to get product out quickly.
“In manufacturing when a car rolls off the assembly line, you don’t say ‘let’s add quality now,’ right? — it’s a function of the manufacturing process,” West told The New Stack. “And if you don’t have the right level of quality, if the defects are severe enough, you have recalls.
“But the big cost is damage to brand and reputation — with security breaches as analogous to recalls where they’re expensive when they happen, in addition to damage to brand and reputation.”
A mature cloud security program includes everything from architecting layers of defense, to testing those defenses, to following secure coding practices, to asset management, McCarthy said. “Easily repeatable security processes have actionable outcomes that mitigate most threats,” he said.
Automation also plays a key role in comprehensive security. “When you scale and you’re not doing things consistently, then things fall apart. So, if you have predictable models, you have a consistent approach with automation,” West said.
“To move things into the cloud through automation, for example, you’re going to have a much better quality product on the front end.”
And there’s another benefit to automation, he added. Because the security industry is always short of qualified job candidates, “you need fewer people to manage the technology infrastructure and development process, which extends to security best practices, of course.”
3. Provide Real-Time Visibility.
Anything less than real-time security is not viable. Major vulnerability alerts, and especially, breaches must reach the security team and/or must be remedied in real time. Automation plays a key role here as well.
“A security solution cannot just detect a problem 24 hours later,” Shah said. “It’s analogous to continuously monitoring your house so that when an intruder tries to enter, you need to know at once. You also want to know that your house’s windows and doors are open in real time.
“Both your house and code are dynamic — windows and doors can open all the time and attackers can enter, just as vulnerabilities and attacks can emerge during CI/CD or when apps are in production.”
Understanding what is happening within your cloud environment in real time is “without a doubt” the most important cloud security capability that organizations can implement,” said Claude Mandy, chief evangelist for data security at Symmetry Systems, a provider of hybrid-cloud data security solutions.
The most common root cause for cloud security failures is lack of visibility in real time, Mandy said. This is not due to a lack of trying, but can be attributed to the complexity and scale of the cloud and how data is secured within it.
“The complexity of millions of data objects across thousands of data stores, multiplied by a seemingly infinite combination of roles, permissions for thousands of user and machine identities is a daunting challenge,” Mandy said. “This is the problem that data security-posture management tools are finally trying to solve, but this visibility won’t reduce risk without further investment in preventative controls.”
Indeed, some organizations can now provide access to their remote users, but they’ve also lost visibility into the distributed data and connections, Pravin Kothari, executive vice president of SASE products at Lookout, a security service edge provider, said.
“This is why it’s critical that IT and security teams have real-time visibility into the users’ behavior, the endpoints they use and the apps and data they’re accessing,” Kothari said. “While the cloud can be secure, it has also sped up the number of activities that your users perform, which means user error has become a huge problem.”
4. Prioritize the Ability to Scale at Will.
Your organization might have adopted what appears to be the perfect fit of security tools and platforms. But they are not worth much if they are unable to scale to the degree at which your DevOps operations grow.
“As more and more stuff goes to the cloud, security must keep up with it,” Shah said. “If not, it can crumble.”
While monitoring more than 9 billion cloud workloads, Prisma Cloud can continue to scale continuously as the number of workloads it handles grow, Shah said: “Doing real time at scale, that’s the name of the game.”
Some security vendors might say they only support a limited number of data or cloud instances, heh said. “But we don’t get to ask our customers questions about the size of their future workloads, since they are like, ‘I don’t know what my cloud footprint is going to be a year from now,’” Shah said.
“Sometimes the industry doesn’t get this right, among those vendors who are always trying to sell the next big security feature or shiny toy, but which crumbles when there are a billion assets to monitor.”
5. Maintain Your Freedom of Choice.
Eliminating or replacing your favorite security or DevOps tool or environment in order to remain compatible with a comprehensive security platform is no choice any organization should ever have to make.
The security platform of your choice should be able to accommodate any and all environments you may have in use, covering the gamut of cloud providers and on-premises environments and DevOps and security tools.
“Your security choice should not matter if you have Alibaba, Google, AWS or another cloud environment. That should never be an issue,” Shah said. “Security vendors don’t get to pick the winners here.”