Security in Devops
Presented at the Gartner Security & Risk Management Summit 2018, “Security In A DevOps World” examines the challenges and benefits of integrating security technology and thinking into the development process at the early stages.
My slides aren’t generally too useful if you haven’t seen the talk. They are very much designed to assist in the presentation of the material, but they also come in handy as a memory aid.
My slides (11MB PDF) for the talk.
We’re all caught up in the rapid response, recover, and repeat cycle of cybersecurity. We rarely step back and evaluate whether our current approach and organizational structures align with our desired outcome.
I firmly believe that how we structure security within an organization and our general approach has reached the limits of it’s effectiveness.
It’s time for radical change.
That’s not to say we sweep the table and start all over again. The current method is inefficient, doesn’t scale, and is very costly. We can do better.
Cultural change is hard. It’s one of the hardest things an organization can undertake. It takes persistence and dedication. It’s a difficult path to travel.
But there are positive examples. The push from waterfall to agile development methodologies followed quickly by the cultural push to a “DevOps” mentality to name two.
Clear away the current hype around all things DevOps and it boils down to this succinct tweet by Sonia Gupta;
What is DevOps? It's two things, per @jsnover:— Sonia Gupta (@soniagupta504) May 7, 2018
1) Do work in small batches so you can learn.
2) Stop being a jerk to your coworkers.
The goal is to break down organizational silos and shorten overall feedbacks. It turns out that these two adjustments can dramatically change how IT services are delivered.
The Goal of Security
In order to align security efforts with a cultural shift, we need to clearly understand the goal of security. There are a number of definitions, but for me, the goal of security is simple.
Security works to ensure that your systems work as intended…and only as intended.
You cannot achieve this goal from within the cybersecurity team alone. It requires collaboration and cooperation with the rest of the organization.
That’s how we’ll address the security skills gaps. Not by training more and more of what we currently think of as “security people”, but by raising the level of security knowledge throughout the organization.
The DevOps movement represents the most significant opportunity for security implementation to align with desired outcomes in the past generation. That sounds dramatic but it’s also accurate.
We—the security community—owe it to ourselves and our organizations to take advantage of this opportunity.
To tie security outcomes this cultural shift, security work must “shift left”. This refers to moving to the left side of the common development workflow visualization.
Moving to the left side of the diagram where all of the “development” is done will increase the effectiveness of security efforts while simultaneously reducing their overall cost.
Starting with the planning phase, security knowledge helps developers and other teams make smarter design decisions. Creating systems that have deeply integrated security and respect privacy by design is the most effective way to increase our overall security posture.
No one wants to write poor quality, vulnerable software. But by bolting on security at the end, we continue to enable this outcome.
Making smart design decisions like encrypting by default, using well maintained and accepted sanitization libraries, and reducing the amount of personal information stored means that mistakes have a smaller chance of exposing valuable information.
In the coding phrase, security thinking helps ensure that test coverage is adequate for the data being processed. It helps developers use secure, well-understood patterns for secrets management, and other resilient coding practices.
During the testing phase, security tools can help reduce the risk of 3rd party dependencies by identifying known issues and implementing unit tests for core security controls.
Finally in the staging phase, all of the information about the latest iteration of the development cycle can be used to inform the security controls in production. This ensures that production controls are aware of the most recent changes in the application, and overall, the monitoring systems have a much clearer idea of what “normal” behaviour for the application looks like.
Creating a culture of security thinking is a huge undertaking. The current approach of an isolated team trying to coordinate and collaborate with the rest of the organization has reached it’s scaling limit.
It’s time for a shift.
We—the security community—are fortunate that the shift to a DevOps culture is getting started. This presents a unique opportunity to piggyback on this effort and combine forces.
We can use the momentum generated by the push to DevOps to do security right. We can integrate security into the fabric of service delivery and ensure that our systems work as intended…and only as intended.