A tension between developers and security is often talked about and making the two sides work together might sound fanciful. But “shifting left” can make a real difference, moving security from the end of the software development lifecycle to an earlier point in the process. By employing security tools as part of the development pipeline, developers can end their nightmare of trying to sort out cybersecurity flaws at the end of a development process. This trick not only frees up time for the developers but drives efficiency across the entire organization.
About the author
Ashley Ward is Technical Director, Office of the CTO at Palo Alto Networks.
The potential for improved security awareness and processes in DevOps is clear when you consider how basic but serious flaws in cloud security continue to be a problem. For example, the most recent Cloud Threat Report from our threat intelligence team, Unit 42, revealed poor cybersecurity in cloud-based software and infrastructure; 74% of the cloud installations they examined were running workloads in Google Cloud with admin privileges that aren’t secure enough.
“DevSecOps” is the term that sums up the cultural change that needs to happen to end these and other shortcomings. With DevSecOps, teams creating applications shouldn’t just be aware of how code is developed and deployed in the cloud and elsewhere but also how it is secured in operations. DevSecOps means embedding security into everything so that all touch points across the software development lifecycle contain a security element and are accounted for.
The goal of DevSecOps is to make both DevOps and security processes much more efficient and allow for spotting possible problems much earlier.
Opening the lines of communication
So with this in mind, what are the critical elements for success? One obvious one is how to break down the barriers that exist between development and security teams in a positive way, allowing for more collaboration and communication. There are several approaches like embedding a security person in a development team or training developers on security best practices. Whatever approach is chosen, a critical step is overcoming communication barriers. A common misconception is that security is only about saying no—to any request—in the name of reducing risk. From a security perspective, there is another misconception that developers only care about delivering code, and security means less to them. Neither viewpoint is fundamentally true.
Like everyone else, security people want to see the company succeed, and see cool stuff happen. Developers also care about more than just delivery of code; plus they know that if something bad happens, there are significant implications that they want to avoid.
While open lines of communication and mutual understanding are key it is equally important that DevSecOps teams have a toolset that is similarly integrated and capable of tracking and addressing the changes that might be happening in your organization. Whether we’re talking about changes in cloud providers, the deployment stack, or something else, there is a clear need to have a platform that will work where you are—in the cloud or on-premises.
Research from our Cloud Threat Report also found that 30% of all organizations host sensitive data in the cloud without proper security controls in place. The pandemic and the immediate and large shift to remote work over the past year has only amplified the need for cloud security, as employees across the board continue to work from home and connect to the cloud from all over. Without fully realizing it and due in most cases to a simple lack of effective access-control restrictions, these organizations place personally identifiable information and other critical assets at risk. These risks could be contained by cloud security automation tools that audit for oversights such as improperly configured access controls.
It helps then that cloud native development approaches unleash new ways of delivering security. When looking to build or expand a team, hiring security engineers who understand cloud-native development can help programmers build secure applications is an important piece to the puzzle. Having employees who are well-versed in cloud-native development can help open up lines of communication and build the bridge between developers and the security team.
Speaking for the technology, there are now tools that exist to scan for security issues from the developer’s code screen right through to automatically scanning and protecting production environments. On top of this, a foundation of good security awareness and visibility is user entity and behavioral analytics that can further help to minimize risk.
While tools are an essential element of enabling DevSecOps, there remain other challenges to be resolved. These include the “unknown unknowns” that organizations encounter as they speed up their digital transformation. For example, organizations across the board rushed to scale up their cloud environments in response to the pandemic last year. However, when rushing to do so many did not scale up their security and governance processes at the same time and rate. This has resulted in an explosion of in cloud security incidents across a variety of regions and industries. It’s imperative that organizations take the right steps to plugging the vulnerabilities that continue to lurk to try to prevent as many “unknown unknowns” from cropping up.
Reframing the mindset for successful collaboration
Perhaps the greatest difficulty organizations encounter when trying to bake security into development is too often that everyone wants the easy answer. In other words, ‘good enough security’ but that’s never a great idea. Challenging this requires some heavy lifting in how an organization’s security mindset makes it clear that there’s going to be some work on everybody’s part. There is no easy middleway on this.
Shifting left and cultivating DevSecOps will take time. There’s a dual job of investing in tools that enable developers and security teams to work together; and making real effort to erase communication barriers, develop the right culture, and establish processes that enable developers and security professionals to work together for common purpose. It’s important to remember that a secure cloud is not possible unless organizations shift left and fully embrace DevSecOps.