Playing Offense in the Name of Application Security
August 11, 2020

Christian van den Branden
ZeroNorth

Digital transformation isn't just changing how businesses compete in the marketplace. It is changing how companies operate, especially with regards to security. Traditional models are being pushed aside to make way for more expansive thinking — and that includes a cultural shift within the classic DevOps model.

As one of the core enablers of digital transformation, DevOps integrates digital technology into all aspects of business process, culture and customer experience. It is a philosophical approach to software delivery that empowers collaborative development, team autonomy while speeding time to market. DevOps encourages innovation, promotes a competitive edge and reduces cost without sacrificing velocity or quality. It is a set of practices that can help you optimize an organization's method for developing software through each step of its lifecycle. This sounds great, but it is not always easy to achieve.

Making the Right Moves

To ensure that security is successfully integrated into the DevOps model — and risk is properly addressed — you will need to do more than just embrace the concept of DevOps. You will need to assume an offensive position. And no, this isn't just another sports analogy. Thinking proactively is key to empowering business teams and improving application development. Because when you assume an offensive stance in software development and vulnerability management, you immediately gain more control over the triad of security, risk and compliance.

The time is now to play offense in security. Part of this challenge is uncovering what this really means and how it can be achieved. Effective management of security, risk and compliance in DevOps, as well as the various teams involved, cannot come at the expense of control, consistency and accountability. While these are not the first words that spring to mind when considering DevOps models, they offer some important guidelines on how to approach security with a clear, offensive strategy.

Control

As DevOps continues to evolve as an alternative to traditional waterfall and a natural extension of agile development, there is a risk that security be left behind. To give yourself more control over security and risk management, it is important to make a proactive shift into DevSecOps. This security-enhanced mindset supports the notion of integrated security from the start, a continuous cycle much like an infinity loop, with each phase flowing into the next. Without a closed-loop process, risk managers have no way to validate remediation. Proactively incorporating security earlier in the process creates shorter feedback loops and eases complexity, enabling engineers to find and fix issues more readily.

But we all know, building perfectly secure applications isn't possible. That is why leaders must balance the need for speed and security by embracing the iterative nature of Agile, where progress can be made incrementally over time. Although this may not feel like control, this type of collaborative workflow preserves the teamwork, agility and speed of DevOps while allowing security to integrate at multiple points in the software development lifecycle (SDLC). And the earlier security is introduced into the SDLC, with scanning tools in place at every phase, the more control you have over your application security and vulnerability management program. Without an offensive plan, security will only get harder.

To achieve this without hampering the velocity of teams, it important for your toolchain to give you the ability to centrally define and manage security policies, but enable teams to apply them programmatically within their pipeline.

Consistency

Developers often rely on basic security tools to build applications, but there are no consistent DevOps processes for security testing, and point security tools often fall short of expectations. This means applications may well be deployed into production with critical vulnerabilities — at which point, they are much harder to find and even more expensive to fix. To achieve consistent testing, there is a need to incorporate multiple application security tools and orchestrate their execution within the development process. This will help companies build and deliver applications that are more secure from the outset and support them in effectively meeting business, customer and governance demands.

Consistency in DevOps is also about driving quality standards. To push out top-notch software, as quickly and affordably as possible, you need comprehensive, continuous and accurate visibility into where risk lies — and how it might impact the business. This comes from testing, early and often. Automating your testing to run continuously in deployment, instead of performing manual operations, allows teams to utilize static and dynamic analysis (SAST and DAST), as well as software composition analysis (SCA) for control over open source components, to gain better visibility. Orchestrating these testing processes within a continuous integration and delivery (CI/CD) pipeline is the way to consistently enforce an application security program without impacting the autonomy or velocity of the teams.

Accountability

DevOps isn't all about playing nicely with others. It demands real accountability, especially when things go wrong. Who is ultimately responsible for security in such a model? And how does this accountability question affect the delivery of reliable software? In keeping with the DevOps mentality, both delivery teams and security practitioners play a role in keeping software secure. But when everyone is accountable, sometimes no one is accountable — especially as the size of a company grows.

Without the right tools and processes in place to support the DevOps journey, chaos ensues. This is where proactive, offensive action comes in. Teams cannot gain the visibility they need without the proper tooling and an efficient process in place to know who is responsible for addressing security issues. This is why organizations must begin to focus on adopting tools that optimize visibility into their applications. As more businesses transition into a DevOps mindset, the need for well-defined roles and processes will become increasingly valuable.

This level of accountability happens in the build functions themselves. By creating a loop of constant feedback, where software can be built, analyzed and tested by cross-functional teams — and with automation speeding up the entire delivery process — people can begin to rely on systems for better security. This level of tight integration among development, operations and product security is key to reaching your business goals because it ensures the delivery of a secure product. But many organizations say breaking down walls and building bridges of shared accountability in DevOps is a struggle, both to understand and to implement. The key is to operationalize this within the toolchain itself, leverage ChatOps for alerting, and use reporting capabilities for inspection and review.

Takeaway

All organizations are under pressure to deliver value faster. DevOps is transformational and allows organizations to achieve this goal. In the same vein as quality, application security is not optional. Compromising on security exposes a company to risk, of intellectual property, customer data and/or brand integrity.

The key to ensuring application security happens, without scaling back the velocity of the organization, is to be proactive and offensive. To do so, you will want to apply the mindset of DevOps to your application security program. By investing in the proper tooling, you gain the ability to centrally define security policies but enable teams across the organization to apply them programmatically through automation and orchestration, right within their delivery pipelines.

Using ChatOps for alerting and reporting capabilities to assess the overall risk posture allows organizations to meet their security requirements without impacting the velocity of their teams. It allows them to accelerate software delivery by speeding up the discovery and remediation of security vulnerabilities while offering customer value — quickly and securely.

Christian van den Branden is SVP Engineering at ZeroNorth
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.