It seems that not a day goes by without news about some type of data breach, loss of data or a ransomware scenario. These keep happening even though firewalls are in place and agencies/companies likely have Intrusion Protection Systems (IPS) and some may even have Data Loss Prevention (DLP) systems in place. Threat actors (hackers) continue to uncover new approaches to breaching networks or applications to get access to your data. You may ask yourself, “So what? What more can we do?”
Even if you feel comfortable in your security approach, you are encouraged to look at your application team’s development pipeline. Depending on many factors, culture included, your development organization may be using more of a DevOps approach, rather than DevSecOps. Aside from inserting “Sec” into the term (with an understanding that it represents inserting security into the pipeline) how does it help?
“DevSecOps” is meant to represent embedding security practices into the entire development lifecycle, during the development, test and deployment of the application. This approach goes well beyond prior post-security scans as it really does embed itself into all three phases. If done well, it prevents the application from progressing to the next phase until all the security issues in the current phase have been addressed.
If your teams are researching DevSecOps, they will encounter the phrase “Shift Left,” which emphasizes moving security to the beginning of the development cycle rather than leaving it as an afterthought (or ignoring it entirely). As mentioned above, in DevSecOps, security is embedded throughout the development lifecycle, shifting the focus to a much earlier point in the process.
Many of the approaches rely on automating security checks by embedding the controls within the development pipeline. Those automated checks and controls can align with various security standards, including the NIST 800-53, OWASP SAMM, Zero Trust Maturity Model, and others. There are tools to conduct static code analysis as well as dynamic code analysis (SAST/DAST) to automate unit tests, vulnerability scans and policy compliance checks throughout the cycle. These can be set to prevent insecure code from merging with other existing application code via automating policies that act as gatekeepers.
Coupled with the security checks, other tools can be integrated into the lifecycle to detect dependencies, such as a dependency on the vulnerability of a third-party library.
Adding to the security repertoire are tools that enforce security checks on cloud templates to detect insecure configurations ,ensuring those templates deploy infrastructure environments that are compliant with your needs.
Embarking on a DevSecOps path will result in embedding several tools with an organization’s development lifecycle. Many of these can integrate with ticketing systems to help track and ensure resolution of issues. Implementing these tools will involve a cultural change to the organization. Don’t underestimate that aspect, but emphasize this approach will reduce vulnerabilities. Threat actors continue to evolve. Perhaps this approach will provide you with a little more security.
Dan Kempton is the Sr. IT Advisor at North Carolina Department of Information Technology. An accomplished IT executive with over 35 years of experience, Dan has worked nearly equally in the private sector, including startups and mid-to-large scale companies, and the public sector. His Bachelor’s and Master’s degrees in Computer Science fuel his curiosity about adopting and incorporating technology to reach business goals. His experience spans various technical areas including system architecture and applications. He has served on multiple technology advisory boards, ANSI committees, and he is currently an Adjunct Professor at the Industrial & Systems Engineering school at NC State University. He reports directly to the CIO for North Carolina, providing technical insight and guidance on how emerging technologies could address the state’s challenges.
Leave a Reply
You must be logged in to post a comment.