Keeping up with the Hare: Establishing a DevSec Culture
Speed is the primary goal of modern application developers. However, with speed comes complexity. Organizations have no choice but to tackle security challenges. In fact, the time difference today between when code is written and when it runs is shortening. Nearly 60% of companies report deploying multiple times a day, once a day or once every few days. Furthermore, the scope of the threat landscape is accelerating as cloud adoption accelerates, making security a challenge for DevSec.
Organizations are now faced with how to effectively integrate security. This is where you need security at the speed of development.
How to Move Faster: Security, Automation and Optimization
Application developers move fast and may make mistakes, but those can be resolved within the next release cycle. Security teams don’t have the same luxury. They’re faced with the pressure to always be right while also not hindering developers.
This means that organizations must figure out how to work with developers and the DevOps automation culture to still deliver secure, continuous-release cycles — and quickly. With security automation, everywhere is key. Automation is critical.
With developers releasing updates so quickly, they are also distributing risks immediately, which means security must be plugged into development toolchains that automatically enable posture checks and protections without slowing things down. This is the only way to ensure rapid remediation and reduce risks.
Take steps to remove friction. In addition, remediation steps must be automated whether to fix issues or streamline security processes. Enable developers to do their jobs securely without adding work. Consider providing tools to automate tasks, such as generating permissions for serverless functions.
It’s important to note that even with enhanced automation, security analysts must continue to stay diligent. A study of 1,027 US and UK IT and IT security practitioners conducted by the Ponemon Institute reveals that “74% of respondents say automation is not capable of performing certain tasks that the IT security staff can do and 54% of respondents say automation will never replace human intuition and hands-on experience.”
Automation should be seen as an evolution that will allow security teams to focus on more strategic projects. A recent post on Dark Reading shared five tips for you to hone your skills to stay well ahead of the automation curve and evolve your role.
Building on DevSecOps
In order to optimize modern application security, DevSecOps best practices and team dynamics need to evolve with automation.
Nigel Kersten, Puppet’s field chief technology officer, stressed the importance of deploying automation at scale in DevSecOps practices. “There are a few common errors we see that enterprises are facing, the biggest one is trying to implement DevSecOps without scaled automation that is well understood and trusted by all the relevant stakeholders.” Kersten continued, “Without that, organizations will end up with the same manual processes and the same conflicting incentives. Then, instead of DevSecOps, these businesses are left with just Dev, Sec and Ops.”
Gina Smith, research manager at IDC Asia, stated, “Old security processes that put security at the middle or end of the process are just too expensive and inefficient now.” Smith continued, “Building security planning, testing and monitoring into every phase of the DevOps pipeline is about bridging the age-old division — and enmity — among developers, IT and security.”
Having cloud native security solutions that are tightly integrated with a development and operations process and tools will be key in helping move toward a more DevSecOps operating environment.
When done effectively, this combination is a true win for security. The 2020 State of Pentesting report examined which security vulnerabilities are found reliably using machines versus human expertise. “The study found that both humans and machines bring value when it comes to finding specific classes of vulnerabilities. Humans ‘win’ at finding business logic bypasses, race conditions and chained exploits, according to the report.”
The truth is organizations of the future will require teams and technology to be working in unison.
Cloud with Confidence
Organizations need to evolve automation tools and the manner in which teams operate to address the unique security needs of modern cloud applications. Automation tools need to be integrated early into the development cycles to address security and compliance issues prior to deployment, with the ability to automate runtime security assessments to prevent threats. This will not only improve security but also development cycles.
To learn more about cloud native security automation through Check Point Cloud Guard, read the Check Point ebook Re-Imagine: A Guide to Unified and Automated Cloud-Native Security.