If you still think of DevOps as the preview of speed-obsessed cloud-native companies, think again. 84% of organizations have adopted some DevOps principles, according to a Fortinet study, and 30% are applying DevOps principles enterprisewide. What are those principles, how do they introduce security risks while enabling agile development, and what can companies do to mitigate those risks? Those were among the topics of a recent Fortinet webinar “Protecting DevOps Without Impeding Speed and Time to Market.”
Watch the webinar “Protecting DevOps Without Impeding Speed and Time to Market.”
When it comes to DevOps, agility and speed are ultimate measuring sticks: Organizations are embracing DevOps in growing numbers because it gives the agility to address new market opportunities quickly and easily. Here, the rapid development and operational processes of DevOps rely on using an automated approach for creating and managing code, leveraging the modularity of open-source software, and continuous integration. And that rapid development and deployment has become one of the business imperatives for companies competing in the digital landscape.
Therein lies the rub: Traditional approaches to security often are incompatible with the agility and speed DevOps requires, and open-source software can introduce security risks based on undiscovered dependencies and cloud misconfigurations that leave yawning gaps in a company’s security fabric. The reality is that security is unable to keep pace with the speed of digital innovation: 80% of organizations say they are introducing digital innovations faster than their ability to secure them.
Figure 1: The typical DevOps cycle comprises plan, create, verify, package, release, configure, and monitor steps in a continuous loop. Security should be built into every element of this cycle.
What causes the disconnect? When asked to identify their most important DevOps metrics, those attending the webinar listed deployment speed and collaboration development and operations (see Figure 2). This aligns with findings from a survey of DevOps leaders earlier this year (see Figure 3) that found driving development efficiencies at the top of the list (51% reporting). The biggest concern was in what fell to dead last: identifying security vulnerabilities (only 19%).
Figure 3: DevOps leaders surveyed for Fortinet’s “2019 State of DevOps Security Report” reported “security vulnerabilities found” ranked dead last as a success metric.
“I just think it comes down to the competitive climate,” says ESG Senior Analyst and Group Director Doug Cahill, who joined Fortinet panelists Lior Cohen and Renee Tarun and moderator Patrick Spencer, Ph.D., for the webinar. “You know if your business isn’t leveraging DevOps to iterate, to leverage that collaboration between your development team and your operations team, to learn from what your customers want and get the right software products and services to market as soon as possible, then your competitors will. And unfortunately, I think that’s why we’re seeing security at the bottom of the list.”
Tarun, who is Fortinet’s vice president of information security, agrees. “Some believe that there’s no room for security in DevOps because they think security will slow things down,” she says. “Often, it comes down to competing priorities—development wants to get the product out the door as quickly possible, while security wants to focus on ensuring that the product is secure. You need to do both.” Ultimately, she adds, “DevOps is about reducing the time to market while maintaining that quality, reliability, and security. It’s something all businesses desire and need.” But to make that happen, security needs to be a shared responsibility. “You’ve got to have that partnership and collaboration between security and the DevOps team,” she says, “because the quicker you can get ahead of the security issues, the better it is in the long run for the DevOps team and for the security and integrity of your product.”
Yet, while 64% of the C-suite believe their security team is integrated into DevOps, only 39% of security professionals agree, and a daunting 41% of organizations believe clear ownership of and responsibility for software security remains “a big challenge.” In addition, cybersecurity teams often retrofit DevOps security tools onto an existing security architecture that may already have elements that are not integrated, further exacerbating an already fragmented security architecture.
Adding to the challenge is that application development and IT in general are becoming increasingly decentralized, says Cahill. “Thanks to the self-service nature of infrastructure as a service and platform as a service that can expedite the ability for lines of business (LOBs) to develop their own applications,” he explains, “CIOs and CISOs frankly lack visibility into what is actually going on in LOBs, and they’re just assuming that their security teams are involved.”
In fact, when asked whether their organization’s security practices were well-defined and established clear lines of responsibility, 14% of webinar respondents said “yes,” while more than half said “somewhat” and more than one-third said “no” (see Figure 4). And when asked what their biggest security challenge was when it came to DevOps, more than half said lack of security integration “at every stage of continuous integration (CI) and continuous delivery (CD)” and nearly half said DevOps and security teams had different goals and objectives (see Figure 5). Notably, those issues outranked two of the most common security issues associated with DevOps: cloud misconfigurations and issues with reviewing and managing open-source code.
Figure 5: When asked to name their biggest DevOps security challenge, survey respondents named cultural challenges (lack of integration with security and differing goals and objectives) over technology challenges (cloud misconfiguration, tools, and open-source code).
All of these issues have led to yet another label: DevSecOps—a moniker that speaks to the importance of shared responsibility where security is concerned.
It is increasingly clear that the imperative for agility and speed in DevOps must be balanced with an equal imperative to integrate security into every step of both development and operational processes. For example, data breaches due to cloud misconfiguration were up 424% last year, and 82% of organizations experienced security and compliance events due to those misconfigurations. At the same time, with 80% to 90% of application code as open source, the likelihood of DevOps compromises continues to ratchet upward. DevSecOps must be top of mind across all stages of application development and operations.
“We’re seeing in our research that DevSecOps allows an organization to improve its security posture at every phase of their CI/CD methodology,” says Cahill, “in terms of doing composition analysis, identifying open-source components during build time, understanding and identifying vulnerabilities that were inadvertently introduced by your software developers, and known vulnerabilities up and down the stack.”
Top reasons for implementing DevSecOps in an organization, according to ESG research, include (Figure 6):
Figure 6: Among reasons for implementing DevSecOps in an organization, improving security posture ranks as No. 1, with collaboration and compliance tied for second place.
With the above in mind, what are the risks when an organization fails to create a collaborative culture in DevOps between agility and speed and security?
Figure 7: While 40% of companies ESG surveyed say they are evaluating security use cases that leverage their DevOps processes, only 15% said automating security was a major factor in adopting DevOps in the first place.
“You can see from the numbers there’s a long way to go here,” says Spencer, Fortinet senior director of content marketing and research. “There’s a lot of DevOps security activity that is not integrated in an SOC, but it needs to be. Without that level of visibility, DevOps leaders and security operations centers are flying blind when it comes to policy controls and management.”
With nearly three-quarters of DevOps leaders admitting that their application development and operations lack basic DevSecOps practices, it is not surprising that 70% of organizations plan to move DevSecOps under the CISO within the next year. Aligning security responsibilities under a CISO, for whom DevSecOps and risk tolerance and tracking are consistently among the top three priorities, is likely to up-level the role security plays in DevOps success metrics.
It also should help bridge some of the most egregious gaps commonly found in DevOps security practices currently in place, most of which fall in the misconfigurations and compliance monitoring and management areas (see Figure 8).
Figure 8: Although DevOps leaders report using automated tools for security analysis and scanning, the critical areas of scanning public cloud instances for misconfigurations and managing and monitoring security compliance fall to the bottom of the list. Moving DevOps functions under a CISO may change that for the better.
“CISOs must balance priorities to get things out quickly but also securely,” Tarun says. It comes down to finding and addressing the security issues earlier in the process rather than trying to fix things after the fact. “In many cases, development teams don't necessarily have that security expertise,” Tarun continues, “so that’s where the CISO can provide the insight on what may be missing from a security and compliance perspective.”
Part of that insight should be the ability to set security priorities for DevOps, adds Cahill. “When we think about large organizations with multiple Scrum teams leveraging DevOps to get different types of applications to production as quickly as possible, frankly not all those applications and the data that gets stored with those applications are equal with respect to their importance to the business and the impact should there be a breach,” he says. In this case, the CISO should be able to help DevOps teams determine which projects present the most risk to the business in terms of cybersecurity incidents or data breaches, giving them a clear weighting in terms of where to focus their security efforts.
Unfortunately, the vast majority of enterprises still discover vulnerabilities in DevOps projects after they go into production: only 8% of DevOps leaders indicate they had no security issues slip into production in the past 12 months. On the flip side, also over the same time frame, 13% report that 10 or more vulnerabilities snuck into production before they were discovered.
For DevOps leaders who experienced no security issues, the aforementioned report identified the following:
In addition to the above, other best practices mentioned by the webinar panelists include:
Yet, when these best practices are compared to the status quo at most companies, 5% of webinar attendees said they had a fully integrated, cohesive architecture and security processes. Moreover, one-third indicate they have not started integration and/or have fragmented, disparate security toolsets and processes (see Figure 9).
Figure 9: 5% of survey respondents describe their DevSecOps approach as having a “fully integrated, cohesive architecture and processes.”
While DevOps offers organizations many business advantages, it also presents serious risks. Misconfigurations and introduction of malicious code into production—or even into development and test environments—can create attack surface exposures that cyber criminals can quickly and easily exploit. The detrimental impact of this ranges from data theft, to operational outages, to brand degradation.
As CISOs assume greater responsibilities for DevOps security, they will be wise to heed the best practices followed by DevOps leaders who are effectively and efficiently protecting application development and operations. DevOps leaders, even those who are no longer directly responsible for DevSecOps, need to do the same.
But it also necessitates a philosophical transformation. “Just like DevOps was a cultural shift, DevSecOps should be a cultural shift as well,” Cahill concludes. “DevOps is part and parcel with almost every businesses journey to the cloud. And being an optimist, I would say there is great opportunity here to actually move the needle and to integrate security as well.”