Bryan Roh Cyber Security and Emerging Threats

Special Report: DevSecOps and the Future of Secure Software Development

Rapid and secure software development. It has become the gold standard that companies in the software industry aspire to facilitate and achieve. Yet according to a 2020 report by Capgemini, the concept of fast and secure code releases continues to be an oxymoron for many. Despite having access to state-of-the-art technological tools and having already accelerated their software development pipelines through the adoption of Agile and DevOps, organizations are facing difficulties in finding ways to balance their cybersecurity with the need to constantly advance the functionality and speed of their applications to maintain a competitive advantage in today’s market.

While the Capgemini report highlights the challenges that organizations are experiencing when it comes to melding security to their software lifecycles, the underlying premise of the report is clear: Cybersecurity is beginning to be seen more and more as a business challenge than just a compliance issue. Organizations that deal with software development are now actively researching, implementing, or have completed initiatives to incorporate security at the outset of the development process. This reality is further accentuated in a recent annual report by Puppet, a North American tech company specializing in automation software, which found that the majority of companies who were successful in embedding security to their DevOps workflows were able to both remediate security vulnerabilities and restore critical business services after a cyber attack in less than 24 hours of occurrence.

These companies have something in common with the NATO Communications and Information Agency, the U.S. Department of Defense, and the Department of Homeland Security. They have all taken steps to adopt DevSecOps, an organizational software development culture, and framework that aims to unify an organization’s development (Dev), security (Sec), and operations (Ops) teams as one cohesive unit. Similar to the swift rise of DevOps in the past decade, there is a momentous shift taking place in the global software industry where cybersecurity is increasingly being seen as an integral component of an organization’s software development process and operational success, and DevSecOps has been coined as the general term to describe this transition.

To understand why DevSecOps is projected to sweep the global software industry in the next few years, however, it may first be helpful to lay out the road that led to its creation in the first place.

The Impetus Behind the DevOps Movement

The technological advancements made in the past decade have dramatically changed the public’s expectations on what constitutes quality IT service. Disruptive new technologies like virtualization, cloud computing, and the Internet of Things (IoT) have not only increased the complexity of the world’s computing infrastructure, but it has also raised consumer expectations on acceptable standards for software. To stay ahead of the competition and satisfy their customer bases, tech companies now face the mounting pressure to “deliver more software, more frequently, and at higher standards of quality”.

However, there exists a chronic conflict that has plagued tech companies since the birth of software development that threatens to hamper organizations from meeting this expectation. It is an internal conflict that centres on two IT factions: Development and IT Operations. Development, the ones in charge of developing software applications for the organization, are concerned with rolling out new features and updates in response to changes in the marketplace. IT Operations on the other hand is responsible for ensuring that the IT services an organization provides to its customers are stable, reliable, and made continually available for use.

Therein lies the historically opposing goals between Development and Operations. Development is pressured by upper management to push new features out by set deadlines, but changes made to the code of software applications always have the potential to introduce new vulnerabilities and errors. To prevent such issues from jeopardizing the stability and security of the application, Operations makes sure that any code handed over to them by Development is rigorously tested before it gets released to the public. This testing can become a highly time-consuming process such that the handoff to Operations becomes a bottleneck that can slow the entire software development lifecycle (SDLC) down. 

Not surprisingly, friction grows as each regards the other as the source of the conflict. Development views innovation as pivotal to keeping an organization’s software applications competitive and sees Operations as stagnant – holding back progress. Operations, on the other hand, values stability and believes unnecessary changes brought by fragile code can lead to service breakages; they view Development as naively careless of real-world constraints. As Development and Operations grow further out-of-sync with one another, a downward spiral begins to set in: “everybody gets a little busier, work takes a little more time, communications become a little slower, and work queues get a little longer.”

DevOps and the Security Trade-off

Sources vary on the origins behind the DevOps movement, but it is widely acknowledged that it emerged sometime in the late 2000s. Concepts like lean manufacturing and the spread of the Agile software development model created the bedrock for a grassroots movement like DevOps to emerge. What followed were landmark events such as the “10+ Deploys per Day: Dev and Ops Cooperation at Flickr” talk during the 2009 Velocity Conference and the Twitter hashtag #devops by Patrick Debois in 2009 to advertise his new conference on “agile system administration” that quickly took the software industry by storm. The concept of breaking down the silos surrounding Development and Operations and aligning their goals for the first time to create better software in less time resonated strongly with IT professionals, and by 2015, e-commerce giants like Amazon, Netflix, and Sony Pictures Entertainment had all invested heavily in implementing DevOps practices.

One of the most important features in the DevOps toolkit is the concept of continuous integration and continuous delivery/deployment (CI/CD) pipelines. The ultimate purpose of CI/CD pipelines is to speed up Development and Operations processes through investments in automated testing tools. Through continuous integration, DevOps teams rapidly integrate and test small code changes made to their software from all their individual developers on a frequent basis. Through continuous delivery and deployment, DevOps teams automate the process of pushing code changes to production environments in a way that ensures the code is always in a bug-free and deployable state. The sum result is that software updates can be made safely and without delay up to multiple times a day, and that ability enables organizations to both maximize its reach of the digital market and quickly deliver high-quality software products for its customers.

In DevOps, speed is everything. At least, it is from the vantage point of senior executives. In a 2018 report by Threat Stack, 68% of the CEOs in the companies surveyed demanded DevOps and Information Security teams to never slow down essential business processes. It is a decision based on the understanding that in today’s world, competitive advantage in the digital marketplace derives mainly from the speed of innovation and execution – from reducing one’s time to market. Their priorities are therefore understandable, but the consequence is that security often gets sacrificed for speed and functionality. Indeed, the same survey by Threat Stack found 52% of companies admitting to cutbacks on security measures in favour of hitting business deadlines or objectives.

And that is a significant issue. According to a 2019 survey by Fortinet, while 58% of organizations stated that the majority of security vulnerabilities are caught before they enter production, only 8% stated that their DevOps teams were able to identify all of them, meaning that it is common for vulnerabilities to slip through undetected. 92% of organizations stated that they saw at least one vulnerability in their production environments within a year’s time, with 40% stating they saw 3-5 vulnerabilities, 28% stating they saw 6-9 vulnerabilities, and 12% stating they saw upwards of 10. This issue is further compounded by the fact that only 19% of DevOps teams reported that they were evaluated on identifying security vulnerabilities, with their top 3 success measurements being efficiency gains, cost reduction, and time to market.

DevOps incentivizes DevOps teams to value speed and functionality over security at the outset. The gold standard of rapid and secure software development, therefore, cannot be achieved with DevOps alone. For organizations to both win in the digital marketplace and protect itself from an increasingly hostile cyber threat environment, DevOps needs to mature further to fully incorporate security into its processes. At the same time, recognizing that traditional approaches to cybersecurity do not have the level of agility to keep up with the pace of DevOps, a new approach to securing an organization’s networks and critical assets is in order. This new approach must be one that can seamlessly integrate itself into pre-existing DevOps infrastructure and work towards being agile, scalable, and automated. Security, in other words, needs to shift left.

DevSecOps: Shifting Security to the Left

What does it mean to shift security to the left? It means to take something that was once implemented as an afterthought in the SDLC and push it to the front of the development pipeline. It means to fully utilize the skills, knowledge, and tools that an organization’s Information Security team holds by incorporating them into the software development, testing, and delivery processes. With DevSecOps, you take the breaking of silos that came with DevOps one step further and include security into the mix, baking security into the SDLC so that Information Security works in unison with Development and Operations to ensure security becomes integrated into the daily workflow of DevOps.

Just as DevOps was as much of a cultural shift in the software industry as it was a practice, DevSecOps also reflects a change in philosophy for the organization that adopts it into its SDLC: Security becomes a shared responsibility that is part of everyone’s job. And just as DevOps understood that technical debt accrues whenever issues in the development pipeline are passed over – whether deliberately or inadvertently – DevSecOps understands that security becomes much more difficult and expensive to fix the further the issue occurs in the software lifecycle.

Consider for instance the fallout from a serious data breach. Reputational damage and financial penalties would be a given but if the company has had a history in providing software products to client organizations as part of their supply chain, the scale and significance of the initial security breach would extend far beyond the domestic borders of the lone company in question. With DevSecOps, organizations can actively mitigate against such scenarios from occurring by identifying and addressing critical vulnerabilities before the software ends up in the staging and deployment phases, and this is done by shifting security tasks to the left.

There may be no uniform way for organizations to implement DevSecOps, but the general principles will remain the same. For a typical organization that has adopted DevSecOps, automation will be the name of the game as code analysis tools, security testing, and security monitoring all become automated to keep up with the quick pace of CI/CD in DevOps while also reducing security flaws and vulnerabilities so prone to human error. Open communications between Information Security and the rest of the IT groups will facilitate greater collaboration as security professionals become embedded in cross-functional teams to achieve the mission of the organization. By embracing the fundamental dynamism of DevSecOps, agile adaptability to changes and thereby continuous improvement will be possible through consistent feedback loops.  

And to support the cultural and organizational transformation necessary for a transitioning towards DevSecOps, the organization’s senior leadership would fully understand the underlying motif behind DevSecOps, that IT risks are ultimately business risks, or to frame it in another way, that cybersecurity is not a hurdle to overcome but a business enabler that can be taken advantage of.

Conclusion

DevSecOps comes at a time of great uncertainty in the world. As the rollout of 5G begins to accelerate around the globe, it will give rise to new security challenges that cybersecurity professionals will have to adapt to and face. Artificial Intelligence is poised to become weaponized by cyber adversaries to conduct sophisticated forms of cyberattacks against networks and computer systems. Last but not least, the seismic effect that COVID-19 has had on the world’s reliance on digital technologies for remote working, and the subsequent explosion in the number of security incidents that followed, will continue onwards into 2021 so long as hackers continue to be malicious opportunists. By shifting security to the left and embracing automation in security operations, DevSecOps provides best practices to defend an organization’s networks from a constantly evolving cyber threat landscape.

Featured Image: “Black and Gray Laptop Computer” (2017), by Luis Gomes via Pexels. Public Domain.

Disclaimer: Any views or opinions expressed in articles are solely those of the authors and do not necessarily represent the views of the NATO Association of Canada or any organization.

Bryan Roh
Bryan Roh is a research analyst for the Cybersecurity and Information Warfare program at the NATO Association of Canada. He is a graduate of the Cybersecurity Analyst Diploma Program at Willis College and also a graduate of the University of Toronto where he specialized in security issues related to the Asia-Pacific region. He is a former Compliance Director for the G7 Research Group at the Munk School of Global Affairs & Public Policy and has published his work in numerous online platforms. Bryan is also a former member of the Canadian Armed Forces where he initially developed an interest in information security and national security issues.