Security teams love to blame DevOps for security problems. Often-cited research that comes immediately to mind includes 40,000 cloud container systems, such as Kubernetes and Docker, with default configurations.
However, containers are just one emerging area. Other areas of finger-pointing commonly include using components with known vulnerabilities, sensitive data exposure, cross-site scripting (XSS) — and the list goes on and on. But what if I told you that the issue does not have to with DevOps but rather a lack of engagement on the part of the security team?
The truth is that despite many security teams having more than 99 security tools at their disposal, they simply fail to engage — while DevOps teams bear the brunt of the blame.
However, there is a solution. Using the following questions, DevOps teams can help guide their security colleagues to a path of enlightened understanding by helping them to gain risk clarity around the continuous integration / continuous deployment (CI/CD) pipeline.
What investments have we made to automate security in our CI/CD pipeline?
Depending upon how learned your security teams are, they might not deeply understand what you mean by CI/CD. Realize from the outset that many security practitioners do not have a software development background. This question is critical because it will allow you to spend time whiteboarding what your pipeline and processes look like. There are many positive outcomes that will surface from these sessions starting with security having a deeper understanding of how software flows in your organization.
Perhaps most important is getting security to own automating security in the pipeline. Although we love to repeat the mantra: “Security is everybody’s job,” the truth is, it ain’t. This doesn’t mean that you shouldn’t try to write secure code, but it does mean it will never be your primary focus.
How are we consistently tracking compliance across multiple cloud accounts and providers?
Want to see the security team snap to attention in your next meeting? Ask the question above. Security will be thinking Why would DevOps care about compliance? The reality is that while security and compliance are not your primary job if you know how it’s being tracked (as well as what standards your organization is mapping to), it can greatly reduce the burden on your team.
Because in order to build compliant cloud native applications, you need to make intentional design choices and follow formal processes for putting them into practice. Without having a way to consistently track compliance across your many cloud accounts and providers, it’s very difficult to know which design decisions you need to make. Having worked with hundreds of security teams one thing is very clear: most do not have a way to track this. Worse yet, those who have not yet achieved cloud-scale often try to do it with spreadsheets. Take the lead, and by doing so, you’ll not only make things clearer for your team but also security and compliance.
Efficiency is doing things right; effectiveness is doing the right things.
Peter Drucker, management thought leader.
What metrics can we develop together to better track our cloud security posture?
Historically as developers, we only cared about the application. However, with the cloud, we typically own the entire stack thanks to Infrastructure as Code (IaC). Given this expanded ownership, it’s important to have specific metrics that you are tracking together with security. Focus on metrics that differentiate on efficacy vs. efficiency. As Peter Drucker said, “Efficiency is doing things right; effectiveness is doing the right things.” Many organizations struggle with security metrics. It is best to start with just a handful and then over time expand and refine. The metrics in figure 3 make it very clear how well DevOps and security are working together — or not. Note that the discovery metrics assume you have taken time with security to map out your pipeline. If you’ve done this then you know where you should be automating security scanning in your pipeline (see the first question above). As with any metric, there must be a target to aim for. In the case of this organization, there is a lot of work to do specifically around how inefficient they are in discovering vulnerabilities pre-production vs. post. This organization was likely one of the 43% with insecure CloudFormation templates recently discovered by Unit 42 in their Spring 2020 Cloud Threat Report.
What is the best way to evolve from DevOps to DevSecOps?
DevOps teams that are strategic about engaging security give themselves and their organizations a competitive advantage. DevOps teams that want to be absolved from future finger-pointing must challenge security teams to think long term. This question gets to the heart of it: how do we evolve from DevOps to DevSecOps? The point of all these questions is to not only make your DevOps processes more secure but to increase collaboration with security while at the same time compounding business agility. The more frequent the engagement and collaboration, the more clear it will become to both teams that two could become one — someday, that is.
When it comes to the cloud, you as the DevOps team have the control. There is however a corollary best known as the Peter Parker principle, in reference to the iconic fictional character whose alter ego is Spider-Man: “With great power comes great responsibility.” The question for DevOps then is what will you do with it?
For more insight from security thought leaders, Cloud Native Security Live, 2020 Virtual Summit is your opportunity to learn from the experience and expertise of developers, DevOps pros and IT leaders who all have so much at stake in container technologies and DevSecOps. Hosted by Prisma, from Palo Alto Networks, in partnership with The New Stack, you can still virtually attend this event held Feb. 11, 2020, for a full day of discussions about cloud native security — brought to you online wherever you may be.
Image from Pixabay.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Unit, Docker.