optimum processes for developing code evolve quickly. We humans
have an insatiable need for more software, more features, more
functionality… and we want it faster than ever before, more
qualitative, and on top of that: Secure.
With an estimated 68% of
organizations experiencing zero-day attacks[1]
from undisclosed/unknown vulnerabilities in 2019, this is an upward
trend that we need to address as an industry by shipping secure
code at a reasonable speed.
While many people and organizations are moving on from Waterfall
to Agile — and not everybody is there yet, let’s be real — they are
already encountering a new problem.
Development teams and their operations counterparts are still
working in silos, and this is still causing headaches for
development managers and their counterparts across the business. In
this environment, how can small teams working in an Agile way
deliver on that promise of faster deployment, and faster
delivery?
The (former, and we’ll get to that in a minute) top-ranking
development buzzword/methodology, DevOps[2], was created to merge
the functions of both developers and operational teams when
creating new software. Essentially, this was to help developers
take ownership of putting things into production, instead of
throwing it over the fence to the operations team and making it
their responsibility.
They can undoubtedly ship faster — even a couple of times per
day — which seems to play in the alley of Agile. However, DevOps
still creates one big, mixed team of engineers and operations
personnel, which may not be Agile-aligned in reality. Ultimately,
we’ve worked out at this point that DevOps is more of an evolution
of Agile, similar in many ways, and complementary in their
difference.
The automated, continuous integration and deployment pipeline
that is apparent in a functioning DevOps environment is essential
to enable frequent releases, but not as sufficient at the team
level – and this is where Agile steps in.
rapid releases and changing requirements, while staying on-task and
collaborative. It certainly seems ideal — and the process can keep
teams on track with the end goal — but it is not without its own
issues.
Software created using DevOps best practice still has the
potential to stumble at the first boss fight: the security team.
When the code is examined by traditional/Waterfall AppSec
specialists, either with tooling or complex manual review, they
often find unacceptable risks and vulnerabilities which must then
be fixed after the fact.
The process of retrofitting security fixes into completed apps
is irksome for development managers and their already-stretched
teams and is neither quick nor easy. Economically, it’s also far
more expensive for the organization.
So, then, if the world is moving on past Waterfall, Agile, and
now DevOps, what is the solution? And if you’re managing a team of
developers (or are one yourself), what is your role in keeping pace
with these changes in approach?
Development techniques are in a constant state of evolution, but
thankfully, this one isn’t such a huge change. Organizations just
need to put the “Sec” in “DevOps”… and so, DevSecOps was born. A
primary goal of DevSecOps is to break down barriers and open
collaboration between development, operations, and, last but not
least, security teams.
DevSecOps has become both a software engineering tactic and a
culture that advocates security automation and monitoring
throughout the software development lifecycle.
This might seem like yet another organization-level process,
perhaps one with “too many cooks” when it comes to a developer with
a long list of features to build. However, the DevSecOps
methodology opens up an opportunity for security-aware developers
to really shine.
DevSecOps: A bright future for savvy developers
Why would a coder — and indeed their managers — want to get up to
speed with DevSecOps?
First off, it’s good to know that it’s a brilliant move, and not
just in the quest to make the world safe from costly cyberattacks.
Experts say that the demand
for[3] talented cybersecurity
personnel is skyrocketing with no end in sight. Those who master
DevSecOps can expect a long and profitable career.
Job security for DevSecOps engineers is even more assured,
because unlike traditional cybersecurity tactics like vulnerability
scanning with an array of software-based tools, DevSecOps requires
people who know how to implement security as they code.
As Booz, Allen, and Hamilton’s analysts noted in their blog
entitled 5 Myths of Adopting DevSecOps[4], organizations want (and
need) DevSecOps, but simply can’t buy it. They require
cross-functional teams integrating technologies and collaborating
during the whole software development lifecycle, and that requires
skilled people, change management, and an ongoing commitment from
multiple stakeholders.
and tools to help with certain aspects of DevSecOps, like release
management software, “but it’s really your delivery teams that make
it happen.” They are the ones driving the continual improvement
offered by DevSecOps and its cultural and paradigm shift.
Organizations cannot “buy” a viable DevSecOps program; it must
be built and maintained, using a range of tools, in-house
knowledge, and guidance that uplifts the security culture, while
also making business sense. It’s not easy, but it’s far from
impossible.
How you can kick ass in the DevSecOps movement
One of the first steps on the path to becoming — or supporting the
upskilling — of a DevSecOps engineer is realizing that it’s as much
a culture as a set of techniques. It requires the will to implement
security as part of every bit of code that you create, and the
desire to proactively protect your organization by actively looking
for security flaws and vulnerabilities as you code, fixing them
long before they make it into production. Most DevSecOps engineers
take their profession and skillset very seriously. The DevSecOps
professional organization even has a manifesto stating their beliefs.
The manifesto is kind of heavy-handed, as manifestos are rarely
light reading. But at the core are a few truths that all great
DevSecOps engineers should learn to embrace, like:
- Realize that the application security team is your ally.
At most organizations, the AppSec specialists are at odds with
developers, since they are always sending completed code back for
more work. AppSec teams don’t often have much love even for
developers since they can delay completed code from getting into
production by introducing common security bugs. However, a smart
DevSecOps engineer will realize that the security teams’ goals are
ultimately the same as the developers and coders. You don’t have to
be best friends, but forming a calm and collaborative work
relationship is vital to success. - Practice and refine your secure coding techniques. If
you can find ways that apps are vulnerable while they are still
being built, closing those loopholes can stop future hackers. Of
course, this requires both an understanding of vulnerabilities and
the tools to help fix them. For developers brand new to security —
even the OWASP Top 10 — the Secure Code Warrior
blog[6] pages can give insight
into the most common and dangerous vulnerabilities you will
encounter, as well as practical advice and challenges to test your
knowledge. The most important aspect is keeping security
front-of-mind, and making time for bite-sized training that helps
you build on existing knowledge. It’s common for a developer’s
interactions with security to be fairly unremarkable—even
negative—but upskilling in security is a great career move. Also,
it doesn’t have to be a chore, especially with a support network
offering training, and the time to actually do it within working
hours. - Remember: DevSecOps superstars contribute to a positive
security culture at their organization. Instead of focusing on
the goals of the past, like delivering apps quickly regardless of
their inherent problems, it’s important to make finding and fixing
vulnerabilities in developing code a top priority. Security must be
seen as everyone’s job, and everyone should share in the adulation
and rewards that come from deploying effective and highly secure
applications each and every time.
You can help cultivate an incredible security culture at your
organization by championing secure coding and security best
practices from the ground up, recommending training solutions, and
ensuring no coder is left behind in the all-hands-on-deck,
fast-paced world of DevSecOps.
The only good code is secure and skilled, security-aware
developers are vital pieces of the puzzle. The personal and
professional rewards are certainly worth the effort, and with
billions of personal data records compromised every year (and
growing), we need you. Take your spot on the front lines and help
defend against the bad guys in our digital world.
Interested in taking your first steps to a more secure future?
Secure Code
Warrior[7] have lots of free
resources, I would recommend starting here: “The Five-Point
Tactical Guide For Secure Developers[8]” Whitepaper.
References
- ^
68% of organizations experiencing
zero-day attacks (www.prweb.com) - ^
DevOps
(en.wikipedia.org) - ^
the demand for
(devops.com) - ^
5 Myths
of Adopting DevSecOps (www.boozallen.com) - ^
has
a manifesto (www.devsecops.org) - ^
Secure Code Warrior blog
(insights.securecodewarrior.com) - ^
Secure Code Warrior
(securecodewarrior.com) - ^
The Five-Point Tactical Guide For
Secure Developers
(discover.securecodewarrior.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/GZuV-q3AM4I/devsecops-engineers.html