“Shifting security left” in the development process and “baked in, not bolted-on security” were commonly repeated phrases at the RSA Conference earlier this year — and in just about every security-related discussion before and since the annual cybersecurity event.
The phrases came up again at CA Technologies’ summit earlier this month with the vendor’s customer, Cardinal Health, a health care services company based in Dublin, Ohio. The company manufactures pharmaceuticals and medical products.
Scott Bellamy, a senior application security architect at Cardinal Health, used both phrases. “We can’t be thinking of security as an after-the-fact,” he said on a panel discussion. “One of our key tenants is moving security left in the development process — shifting left. We have to get to the point where we’re talking about building security in and having developers write secure code rather than writing code with vulnerabilities and dealing with that later.”
One way to do this is through DevSecOps, or automating core security tasks by embedding security controls and processes into DevOps. In other words, baking security into the code.
As companies rapidly adopt hybrid clouds and DevOps models, integrating security from the start solves a couple of problems.
“The overarching problem is the need for greater operational efficiencies when it comes to cybersecurity,” said Doug Cahill, a senior analyst at Enterprise Strategy Group (ESG). Companies have increasingly complex IT environments spanning on-premises data centers and multiple clouds. And they don’t have enough resources to secure these environments.
“The other problem is how to inject cybersecurity into modern IT management,” Cahill said. “At its core, DevOps is a cultural shift to get the development team and operations team collaborating.” One of the ways this model manifests is continuous integration and continuous delivery (CI/CD).
“CI/CD is just that — continuous — and from a security perspective, that can be quite disconcerting,” Cahill said, adding that a security professional told him DevOps was like running with scissors: “Bad things happen when you go fast.”
DevSecOps Challenges
ESG research found 15 percent of organizations are “extensively” automating security via DevSecOps, and 19 percent say they have incorporated some level of security into the DevOps process. Another 41 percent are evaluating DevSecOps, signaling stronger adoption in the future.
“If you are a security professional and you hear this term [DevSecOps], you may think it’s just marketing,” Cahill said. “But when you talk about what’s behind the term, it’s hard not to be in heated agreement to the value of integrating security processes and tools into your test and development environment and finally your production environment.”
Still, he added, “It’s not always clear where to start.”
An April report by 451 Research, commissioned by Synopsys, found that only half of CI/CD workflows include application security testing elements despite respondents citing awareness of the importance and advantages of doing so.
Organizations cited a lack of automation and consistency, reduced speed, and the noise of false positives as the primary challenges of DevSecOps. At the same time, respondents also said the use of automated tools integrated early in the software development life cycle can have a positive impact on both the speed and the overall quality and security of software.
“We’re seeing that this emphasis on security is shifting toward the left side of the DevOps pipeline,” said 451 Research analyst Scott Crawford. “We do see developers embracing security, but it is a gradual thing. One thing development teams can’t tolerate: you can’t slow these processes down. Business insists on having features and functions that are competitive in the market, or they will lose their competitive edge.”
‘Security Needs to Delegate’
By its very nature, the DevOps model fuses development and operations resources within small teams and gives the teams ownership of the software they create, added 451 Research analyst Fernando Montenegro, who, for the record doesn’t like the term “DevSecOps.” He says “it makes security stand out as a different stakeholder. Security should be embedded in both Dev and Ops. Security in DevOps or just DevOps.”
As companies move to DevOps — and the shortage of skilled security professionals increases — security can no longer be a centralized function, Montenegro said. It has to be embedded in multiple teams by using automated tools and incorporating things like software composition analysis into CI/CD workflows.
“Security is still trying to do too much itself,” he said. “Security needs to delegate more to other divisions. The role for security becomes more enabling, help educate that team, by all means monitor it from afar, but don’t become a roadblock.”
DevSecOps Use Cases
It can be difficult for companies to know where to start, however. Cahill suggests focusing on use cases by environment: test, development, and production.
In development, focus on eliminating security vulnerabilities introduced by developers. “Make sure your developers are writing good, secure code,” Cahill said. “The more you do things right the first time the better it is because rework always costs you more.”
In the testing environment, check for any known software vulnerabilities up an down the stack. “In test, we’ve basically hardened configuration,” Cahill said. “And in production, we can automatically apply security controls that will monitor workloads.”
This includes tools like host-based intrusion detection system, which monitors and analyzes the computing system and network packets, as well as anomaly detection.
“When people say shift left, they mean all the way to development,” he said. “My point is yes, absolutely shift left, but then go right. Yes, do it in dev but also in test and production.”