How DevOps Can Remain Agile While Strengthening Security

If you still think of DevOps as the preview of speed-obsessed cloud-native companies, think again. 84% of organizations have adopted some DevOps principles, according to a Fortinet study, and 30% are applying DevOps principles enterprisewide. What are those principles, how do they introduce security risks while enabling agile development, and what can companies do to mitigate those risks? Those were among the topics of a recent Fortinet webinar “Protecting DevOps Without Impeding Speed and Time to Market.”

Agility and Speed vs. Security in DevOps

When it comes to DevOps, agility and speed are ultimate measuring sticks: Organizations are embracing DevOps in growing numbers because it gives the agility to address new market opportunities quickly and easily. Here, the rapid development and operational processes of DevOps rely on using an automated approach for creating and managing code, leveraging the modularity of open-source software, and continuous integration. And that rapid development and deployment has become one of the business imperatives for companies competing in the digital landscape.

Therein lies the rub: Traditional approaches to security often are incompatible with the agility and speed DevOps requires, and open-source software can introduce security risks based on undiscovered dependencies and cloud misconfigurations that leave yawning gaps in a company’s security fabric. The reality is that security is unable to keep pace with the speed of digital innovation: 80% of organizations say they are introducing digital innovations faster than their ability to secure them.

What causes the disconnect? When asked to identify their most important DevOps metrics, those attending the webinar listed deployment speed and collaboration development and operations (see Figure 2). This aligns with findings from a survey of DevOps leaders earlier this year (see Figure 3) that found driving development efficiencies at the top of the list (51% reporting). The biggest concern was in what fell to dead last: identifying security vulnerabilities (only 19%).

Competing Priorities in DevOps

“I just think it comes down to the competitive climate,” says ESG Senior Analyst and Group Director Doug Cahill, who joined Fortinet panelists Lior Cohen and Renee Tarun and moderator Patrick Spencer, Ph.D., for the webinar. “You know if your business isn’t leveraging DevOps to iterate, to leverage that collaboration between your development team and your operations team, to learn from what your customers want and get the right software products and services to market as soon as possible, then your competitors will. And unfortunately, I think that’s why we’re seeing security at the bottom of the list.”

Tarun, who is Fortinet’s vice president of information security, agrees. “Some believe that there’s no room for security in DevOps because they think security will slow things down,” she says. “Often, it comes down to competing priorities—development wants to get the product out the door as quickly possible, while security wants to focus on ensuring that the product is secure. You need to do both.” Ultimately, she adds, “DevOps is about reducing the time to market while maintaining that quality, reliability, and security. It’s something all businesses desire and need.” But to make that happen, security needs to be a shared responsibility. “You’ve got to have that partnership and collaboration between security and the DevOps team,” she says, “because the quicker you can get ahead of the security issues, the better it is in the long run for the DevOps team and for the security and integrity of your product.”

Yet, while 64% of the C-suite believe their security team is integrated into DevOps, only 39% of security professionals agree, and a daunting 41% of organizations believe clear ownership of and responsibility for software security remains “a big challenge.” In addition, cybersecurity teams often retrofit DevOps security tools onto an existing security architecture that may already have elements that are not integrated, further exacerbating an already fragmented security architecture.

Adding to the challenge is that application development and IT in general are becoming increasingly decentralized, says Cahill. “Thanks to the self-service nature of infrastructure as a service and platform as a service that can expedite the ability for lines of business (LOBs) to develop their own applications,” he explains, “CIOs and CISOs frankly lack visibility into what is actually going on in LOBs, and they’re just assuming that their security teams are involved.”

In fact, when asked whether their organization’s security practices were well-defined and established clear lines of responsibility, 14% of webinar respondents said “yes,” while more than half said “somewhat” and more than one-third said “no” (see Figure 4). And when asked what their biggest security challenge was when it came to DevOps, more than half said lack of security integration “at every stage of continuous integration (CI) and continuous delivery (CD)” and nearly half said DevOps and security teams had different goals and objectives (see Figure 5). Notably, those issues outranked two of the most common security issues associated with DevOps: cloud misconfigurations and issues with reviewing and managing open-source code.

Understanding DevSecOps

All of these issues have led to yet another label: DevSecOps—a moniker that speaks to the importance of shared responsibility where security is concerned.

It is increasingly clear that the imperative for agility and speed in DevOps must be balanced with an equal imperative to integrate security into every step of both development and operational processes. For example, data breaches due to cloud misconfiguration were up 424% last year, and 82% of organizations experienced security and compliance events due to those misconfigurations. At the same time, with 80% to 90% of application code as open source, the likelihood of DevOps compromises continues to ratchet upward. DevSecOps must be top of mind across all stages of application development and operations.

“We’re seeing in our research that DevSecOps allows an organization to improve its security posture at every phase of their CI/CD methodology,” says Cahill, “in terms of doing composition analysis, identifying open-source components during build time, understanding and identifying vulnerabilities that were inadvertently introduced by your software developers, and known vulnerabilities up and down the stack.”

Top reasons for implementing DevSecOps in an organization, according to ESG research, include (Figure 6):

• Improving security posture by ensuring cybersecurity controls and processes are tightly integrated at every stage of the CI/CD tool chain
• Meeting and maintaining compliance standards and regulations
• Fostering collaboration between development, infrastructure management, application owners, and cybersecurity stakeholders

Ignore DevSecOps at Your Own Risk

With the above in mind, what are the risks when an organization fails to create a collaborative culture in DevOps between agility and speed and security?

• Code proliferation—the wrong kind. “If you look at the cloud landscape or the container landscape or the hybrid cloud landscape or the public cloud providers offering new services and hardware even for private data centers, the speed at which new features and functionality are introduced is amazing,” says Cohen, senior director for product marketing at Fortinet. “You’ve got new services, new configuration options, new types of objects, and new service tiers—and everything is being configured by humans at the end of the day.” In that environment, he warns, the ability to maintain code that is consistent across multiple services, and that keeps up with best practices related to each one of these new services, becomes very challenging. “One mistake in configuring a service that you may be using 100 times means you have really had 100 misconfigurations,” he says. “So, the whole method of ‘build once and use many times’ on one hand helps automate the resolution of issues but on the other hand also accelerates the exposure due to misconfiguration.”
• Compliance failures. With 82% of organizations experiencing security and compliance events due to cloud misconfigurations alone, compliance with security standards and industry regulations is clearly an issue. Especially in heavily regulated industries such as healthcare and financial services, a DevSecOps culture, in which security is part and parcel of setting up and automating compliance practices, can balance—and even support—the drive for speedy deployments. While slightly more than half of DevOps leaders indicate they track and report compliance issues, only 28% of companies surveyed actually have DevOps security features in place for managing and monitoring security compliance. The upside is that an integrated DevSecOps culture could move that number upward.
  
  But among companies surveyed by ESG, only 19% said they plan to incorporate some level of security into their DevOps process and 18% said they have not yet discussed how security related to industry regulations fits into their DevOps processes (see Figure 7).

• Lack of integration with the SOC. 68% of DevOps leaders indicate their CEOs demand that DevOps and security teams never slow down a business process—and that pressure for speed was likely a factor in high-profile data breaches. DevSecOps integration with the security operations center (SOC) is critical to success here. Yet, while the SOC is gaining more visibility into DevOps activities, only 14% of organizations have enabled full visibility of the DevOps environment from their SOCs.

“You can see from the numbers there’s a long way to go here,” says Spencer, Fortinet senior director of content marketing and research. “There’s a lot of DevOps security activity that is not integrated in an SOC, but it needs to be. Without that level of visibility, DevOps leaders and security operations centers are flying blind when it comes to policy controls and management.”

DevOps Security Soon the Responsibility of the CISO

With nearly three-quarters of DevOps leaders admitting that their application development and operations lack basic DevSecOps practices, it is not surprising that 70% of organizations plan to move DevSecOps under the CISO within the next year. Aligning security responsibilities under a CISO, for whom DevSecOps and risk tolerance and tracking are consistently among the top three priorities, is likely to up-level the role security plays in DevOps success metrics.

It also should help bridge some of the most egregious gaps commonly found in DevOps security practices currently in place, most of which fall in the misconfigurations and compliance monitoring and management areas (see Figure 8).

“CISOs must balance priorities to get things out quickly but also securely,” Tarun says. It comes down to finding and addressing the security issues earlier in the process rather than trying to fix things after the fact. “In many cases, development teams don't necessarily have that security expertise,” Tarun continues, “so that’s where the CISO can provide the insight on what may be missing from a security and compliance perspective.”

Part of that insight should be the ability to set security priorities for DevOps, adds Cahill. “When we think about large organizations with multiple Scrum teams leveraging DevOps to get different types of applications to production as quickly as possible, frankly not all those applications and the data that gets stored with those applications are equal with respect to their importance to the business and the impact should there be a breach,” he says. In this case, the CISO should be able to help DevOps teams determine which projects present the most risk to the business in terms of cybersecurity incidents or data breaches, giving them a clear weighting in terms of where to focus their security efforts.

Security Best Practices Based on DevOps Security Leaders

Unfortunately, the vast majority of enterprises still discover vulnerabilities in DevOps projects after they go into production: only 8% of DevOps leaders indicate they had no security issues slip into production in the past 12 months. On the flip side, also over the same time frame, 13% report that 10 or more vulnerabilities snuck into production before they were discovered.

For DevOps leaders who experienced no security issues, the aforementioned report identified the following:

• 24x more likely to always automate security policy configurations
• 3x more likely to do security audit tracking
• 2x more likely to do dependencies analysis
• 96% more likely to automate dependencies tracking and analysis
• 63% more likely to track and report on security compromises
• 63% more likely to scan public cloud instances for misconfigurations
• 45% more likely to track and report on compliance with security standards

In addition to the above, other best practices mentioned by the webinar panelists include:

• Integration of DevOps and the SOC
• Deep visibility into web applications, containers, and APIs, and the ability to centrally manage policies across each of them
• Integrated threat intelligence and automation of associated workflows
• Protection of web applications as well as APIs

Yet, when these best practices are compared to the status quo at most companies, 5% of webinar attendees said they had a fully integrated, cohesive architecture and security processes. Moreover, one-third indicate they have not started integration and/or have fragmented, disparate security toolsets and processes (see Figure 9).

DevSecOps: A Philosophical Transformation

Read the 2019 State of DevOps Security: A Report on Current Trends and Priorities.