The CISO's role is evolving at a faster pace than ever before. Security is not a department anymore, but an outcome that must be part of all stages of software development and delivery process. A DevSecOps model is the way forward for all companies embracing cloud to ensure much faster and more secure software development lifecycle (SDLC). DevSecOps is about built-in security not bolted-on security that just functions as a perimeter around apps and data. In this post we'll explain how new security teams are not just gatekeepers anymore, but accompany the developers with best practices and specific new tools as guardrails.
But now as applications are "moving to the cloud" and new developments are cloud native, CISOs should feel safer and relax as the responsibility has moved to the cloud provider, right?
Well not so fast, because while cloud-native development and delegation of Ops tasks to Cloud providers increased productivity, saved cost and reduced time to market, the use of containers, orchestrators and microservices shifted the risk towards new attack surfaces for potential exploit, as the CNCF pointed out. At a time of digital transformation and triumphant agility, it is necessary to revisit the way we manage security and especially how we reconcile the need for agility and reinforced security. These two antagonistic notions in a traditional approach must collaborate and that's what gave birth to the concept of DevSecOps.
DevSecOps proves to be efficient, as it shifts from Security as a function saying “No” to Security as an enabling function within the DevOps process. Instead, DevSecOps teams:
Security becomes part of the culture and the conversations of the DevOps team as illustrated below. And detecting and fixing vulnerabilities early in the lifecycle significantly reduces their impact and the costs incurred to fix them. This becomes an event-driven architecture that eliminates the need for various teams to manually collaborate in the integration points.
Figure 1: DevSecOps process illustration
OK, let's say that now we agree that security should be part of the DevOps process. The next pressing issue is to find and allocate the right security personnel to attend each agile meeting of each team. But it's not always possible to find so many security personnel, so the alternative best solution is to assign the role of security champions or DevSecOps leader to one of the existing DevOps team members. That team member can be trained on the common tools used to test the code and will be in charge of evangelizing the team and more importantly, enforce best security practices within his team. This way usual security issues are solved with the development stages and the scarce security team resources are only involved on exception basis in case of specific review.
See below for your information a sample of tools available on the market that can help your team automate the security process within your Software Development Life Cycle.
Static Application Security Testing (SAST) | CAST Application Intelligence Platform - Checkmarx CxSAST - IBM AppScan - MicroFocus Fortify - SonarQube - Synopsys - Veracode - FindSecBugs - Brakeman - PMD |
---|---|
Dynamic Application Security Testing (DAST) | Acunetix - AppSpider - IBM AppScan - MicroFocus Fortify - Netsparker - OWASP Zap -Qualys Wab Application Scanning -Rapid7 AppSpider - Sqreen - Veracode - WebInspect -Burt. |
Interactive Application Security Testing (IAST) | Contrast - Seeker - Synopsys |
Vulnerability Scanners | Acunetix Vulnerability Scanner - Arachni - IBM AppScan - MicroFocus Fortify WebInspect - Tenable Nessus - OpenVAS - Qualys - Rapid7 |
Threat Intelligence | FireEye iSight Intelligence - IBM Security X-Force Threat Intelligence - Intrinsec Threat Intelligence - Palo Alto Networks Wildfire - Symantec DeepSight intelligence |
Bug Bounty | Bounty Factory - Bugcrowd - Yogosha |
So, how should you go about implementing DevSecOps?
In order to practice secure coding, the developers need to be educated on the security basics to avoid the same security defects from surfacing over and over and over again. SQL injection was a problem 15 years ago, SQL injection is still a problem today! So, security teams need to empower the dev teams with tools and frameworks that will speed up the DevOps process by letting them know upfront what the security expectations are and let these expectations be handled while coding. Let the application developers take informed decisions; own their security design and see the results in real-time when building their applications. This process flips the security team from being a tester to being an auditor. The security team and the DevOps team really should be considered as partners. It's their job together to jointly ensure that the application is secure.
The shift left testing approach means baking security into the early stages of application development instead of having security checks at the tag end of the Software Development Life Cycle (SDLC). Start with security at the beginning of an application development process and set the security expectations right at each and every stage of SDLC. The developer may be notified within minutes of a potential flaw introduced in their last pull-request and can begin to address it while it is fresh in their mind. This is in contrast to finding the flaw weeks or months later during a penetration test, in which time the issue may have compounded and become much more difficult to resolve. And the earlier you find any bugs, the cheaper it will be for you to fix them.
No organization can go out and buy DevSecOps in a ready-made fashion. It spans across people, process and culture and of course, technology brings this vision to action. Automating the integration points is the key to ensure agility and security in DevSecOps – like automating the security checks using some of the tools mentioned above at each stage of SDLC, automating the compliance checks, automating the configuration management, etc. Represent security and compliance as “code” and bake it into the entire process. In Oracle cloud environments where infrastructure and configuration can be deployed as code, automation can help avoid manual human errors in system configuration, thereby making security and performance much more predictable.
References of good DevSecOps practices appeared notably those of OWASP (Open Web Application Security Project) Foundation, SANS Institute and the Cloud Security Alliance.
The only effective way of going DevSecOps truly is by going in the cloud. When you step back and think about it, the advantages of DevSecOps and the cloud are the same, flexibility, faster go-to-market, increased productivity, which is why they partner so well together. Cloud capabilities are at the foundations of such a shift in the security focus from the development teams. It's because clouds and particularly Oracle Cloud took more responsibilities of the compute, storage, databases and network that the adoption and productivity of DevOps teams has skyrocketed.
If you look at the Oracle security portfolio, we have a fantastic set of mature capabilities, providing defense-in-depth through layered security, from securing the data to the users, platforms, and applications as detailed in this here. We provide a secure cloud for enterprise workload ensuring our customers are isolated from noisy or malicious customers and that their hardware is in pristine state among other unique capabilities. It's as well our commitment to provide unmodified opensource software that will allow our customers to automate the monitoring, the response and the remediation of incidents or integrate with their SIEM using the logging service combined with serverless actions. We’ve also programmatically integrated our security products to provide continuous security risk assessment and recommendation based on Oracle best practices via our Cloud Guard service.
If in your own enterprise, you are starting that DevSecOps or Shift-Left journey, feel confident that you are on the right path. So you will no longer be just "the guy, who says No" but be part of the team that delivers value for your company, reduces its exposure to risks and makes security an inherent component of your company business that helps differentiate it from the competition.
If you’re in the Cloud or moving to the Cloud you might want to take a look; there is no harm in being better informed. Discover more about Oracle Cloud.