DevSecOps – The Case for a Security Culture.

DevSecOps Security Mindset

DevSecOps – The Case for a Security Culture – Reading Time: 8 minutes

Security is a topic that has, in many cases, for one reason or another, become an afterthought. Maybe it’s down to the stuffy image security has, or perhaps it’s because security is an additional source of costs that could be seen as unnecessary when profit maximization contributes to an organization’s success. Either way, security is not a hot topic.

The Importance of (Cyber)Security

In the beginnings of the internet, and everything that came with it, security was not at the forefront of priorities. You could blame naivety. After all, in pre-internet times, security was a tangible thing. The lock on a safe, the identity check when entering a building, or the signature on a cheque, were all considered a secure way to ensure only authorized people had access to sensitive information.

However, as soon as technology became integrated into everyday life, it became clear that security was, certainly not just physical and, quite often, lacking. There are many examples of this; one of the most sensitive is that Barbie dolls could eavesdrop on children:

Cybersecurity researchers uncovered a number of major security flaws in systems behind Hello Barbie, an Internet-connected doll that listens to children and uses artificial intelligence to respond. (Hello Hackable Barbie)

Another example is how two white hat hackers managed to illustrate how a Jeep Cherokee could be hacked remotely:

Actions the pair were able to perform range from trivial pranks, such as turning on the A/C, to being able to steer the car and turn the engine off. The vulnerability comes from the Jeep’s use of a dashboard system called Uconnect, which provides an access point to rewrite the firmware on the chip. With the ability to re-write the firmware, the chip can then access the rest of the car controls via the CAN bus. (5 Leading IoT Security Breaches and What We Can Learn From Them)

Every organization that produces products that rely on software to be connected (or IoT compatible) should take note. To be successful, you must offer your customers peace of mind that the IoT fridge doesn’t listen to your conversations and that your home hub isn’t hackable. However, in many cases, organizations focused on creating such products haven’t integrated security into their working processes.

Security and DevOps

With the rise of DevOps and the focus on software delivery quality and speed, security often does not receive the attention it deserves. Speed and quality the main benefits of the DevOps approach; however, this approach is nothing if the customer cannot feel secure in the product or service they spend their hard-earned money on:

On September 6, 2018, airline giant, British Airways, disclosed that the company had suffered a data breach that affected the personal and financial data of approximately 382,000 customers. A similar breach was reported by Ticketmaster in June of 2018, and this month marks one year anniversary of Equifax data breach, wherein half of US population was impacted. A common denominator of all these data breaches is the speed at which code was published. (Learning from Data Breaches: Integrating Security in DevOps)

Time to market is a part of the problem. In today’s fast-moving world, speed is everything. Beating a competitor to market can mean the difference between being successful and being forgotten. DevOps may have enabled companies to more quickly meet the needs of their existing (and potential) customer base. Still, without security, these companies will lose the necessary trust in a world where customer data and privacy are more important than ever before.

This is why, if an organization aims to be successful in the long term, they need to incorporate security from the get-go. We can no longer be naïve about security. Security can no longer be an afterthought. A lock on a safe is not enough in a digital world where locks can be hacked from a distance.

The DevSecOps Sandwich

The term DevSecOps first appeared around 2014. The idea behind it is that security should be incorporated into the software (or product) development cycle:

DevSecOps is the evolution of the DevOps philosophy. It is a concept that injects security into the software development lifecycle. If DevOps is about increasing the level of communication between development and operations, then DevSecOps is about inviting security into the conversation. (What is DevSecOps?)

The question is, is it an evolution? Or is it simply something which, given the digital present and future, can no longer be seen as something separate or ‘other’ to software or product development? Security is essential to the trust of the end consumer. No one will buy a product or service if there is doubt about how secure it is. The authors of the 2019 State of DevOps report put it quite succinctly:

While we appreciate the emphasis on Security that the term DevSecOps brings, we’re sticking to just DevOps. We believe security is an inte­gral part of both the Dev and Ops domains. But if using the term DevSecOps helps drive heightened awareness for the importance of building security into all aspects of software delivery, we’re all for it. (2019 State of DevOps Report)

The need for ‘heightened awareness’ is clear. DevOps can no longer move forward without accepting that security is part of the overall picture. After all, the end consumer has been the dupe of a lack of this awareness in several cases. As we enter the second decade of the twenty-first century, ignorance is no longer an excuse.

Why is Security not Second Nature?

DevOps is booming, ‘the latest IDC study shows, the DevOps software market is estimated to reach $6.6 billion in 2022.’ (DevOps’ missing ingredient: Fast, secure data). DevOps will definitely carry on growing in popularity because of the demand for software, IoT products, apps, and more. If security isn’t taken seriously, DevOps teams are playing with fire. As previously stated, there have been several high-profile security issues resulting from the drive for DevOps teams to launch products quickly. Although quality is also a focus of DevOps, speed to market seems to be causing problems when it comes to DevOps and security:

That missing piece is fast, secure access to high-quality data. Provisioning data for dev and test environments can still take days or even weeks, causing serious delays in the development process and a bottleneck that prevents a holistic DevOps practice. (DevOps’ missing ingredient: Fast, secure data)

Speed to market is essential, but sacrificing security to beat a competitor is a significant risk. If your product ends up having security issues, it can do a lot of damage to your companies’ reputation and lead to lost profits as a result of people spending their money elsewhere.

Security Mindset vs DevSecOps

This where DevSecOps comes in. The difference between DevOps and DevSecOps is that the latter focuses on the idea that everyone carries responsibility for security. DevSecOps describes a DevOps approach where the security of the infrastructure and application are thought about from the start.

To be clear, DevSecOps is an evolution of DevOps culture and thinking. Rather than disrupting your current cyber agenda, it actually embeds many of the security processes, capabilities, and intelligence learned over the years into your underlying platforms and toolchains. Building on your experience of developing and operating applications, DevSecOps enables you to automate good cybersecurity practices into the toolchain so they are utilized consistently. (DevSecOps and the Cyber Imperative)

DevSecOps means that security is built in from the very first steps rather than a finished product being tested for security before it is released. This makes it easier to ensure that a product or service is completely secure from the ground up and less likely that any significant security flaws will delay go-to-market.

The focus on security makes DevSecOps a wise choice for both the short term and the long term. The DevSecOps team can focus on security as part of the usual development process, which reduces the workload for the team who would typically be responsible for pre-release security checks. It also means that security for the service or product is less likely to fail, creating a high level of customer trust, which can significantly impact brand loyalty. However, the biggest challenge is creating a culture where security is part of the organization’s mindset from the very beginning.

Creating a Security Culture in DevOps

Cultural change in organizations of any size is not easy. This kind of change in mindset is something that takes time and consistent effort. There are many ways an organization can approach such a change in mindset, but the most important thing is that the mandate comes from above and enough buy-in at the highest level. Without this, such initiatives often don’t receive the attention or budget they need to succeed. Gitlab sums up the steps on the way to a security culture in their article DevSecOps basics: How to build a security culture in 6 steps:

Step 1: Culture change starts at the top

Step 2: Awareness, education, and mutual understanding

Step 3: Appoint security champions in dev

Step 4: Encourage cross-functional collaboration

Step 5: Give developers the tools they need

Step 6: Automate when appropriate

If they follow steps above, an organization can successfully transform their DevOps team into a DevSecOps team and reap the benefits of incorporating security into their development process.

DevSecOps or Security as Standard?

The fact that DevSecOps appeared less than ten years ago is interesting. Given the fact that security is essential in today’s interconnected world of the internet and IoT products, it is odd to think that it has only relatively recently been integrated into existing processes. The chances are that in the future, it will be, and this is just a step in that direction. After all, the internet age is still relatively young. With the Fourth Industrial revolution on the way, future generations will likely look back on the time that security was seen as separate to the development process as a time of enthusiastic naivety. Either way, it is great that security is getting the attention it deserves.