In today’s modern landscape of rapidly changing priorities, rising expectations from customers, and new market opportunities, IT leaders must discover new ways to streamline the delivery of the applications and systems providing key business value. The pace of change in the market has reached a point where the need for velocity and rapid response is the new imperative. To remain competitive, organizations must reduce cycle time.
In 2014, Marc Andreesen wrote, “Cycle time compression may be the most underestimated force in determining winners and losers in tech.” We, like Andreeson, have observed that organizations face a future where accelerated delivery and reduced cycle times will be a driving force in the global market. The challenge facing IT leaders is how to adopt cultural and technical changes to achieve faster delivery and shorter cycle times to meet business partners and customer expectations.
Why Does Cycle Time Matter?
In an ever-changing technological landscape, the pace at which organizations release features directly impacts success. Reducing the time between thinking of an idea and having the code in production is vital to providing value to customers. If an organization is too slow to innovate, its competitors can rapidly absorb the market by becoming the first organization to meet the needs of customers. However, a reduction in cycle time should not be at the expense of security.
The effort to streamline delivery has placed a greater emphasis on automation and IT leaders are facing challenges that make it difficult to implement DevSecOps. Security teams are struggling to keep up with the quick pace of development, which leaves them unable to review code for security vulnerabilities before developers release software updates. The lack of insightful data about security incidents is a challenge for organizations to prioritize the most pressing needs. Developers are often left frustrated by slow and cumbersome security reviews, which can delay application development and new features from being released. Or, in many cases requires costly changes during a production deployment.
To implement DevSecOps, teams must work together to focus on security throughout the development process. Security should be a part of every conversation and developers need access to actionable information that they can act on quickly. Achieving these goals requires providing deep visibility into activity across various systems.
Visibility is key to enabling organizations to identify risky behaviors such as password reuse, shared accounts, code vulnerabilities, infrastructure vulnerabilities, etc. to have a holistic view of all systems required to operate applications and services. In addition to the visibility, implementing IT and security automation allows IT departments to more efficiently deliver software updates while reducing response time when vulnerabilities and security issues are discovered in code or infrastructure before they are introduced in production. And, by ensuring configuration management is implemented during all phases of the SDLC, both DevSecOps and DevOps teams can be assured knowing their applications are deployed and running securely.
When moving to a DevSecOps environment there is no time for downtime or system issues. Having tools that provide full visibility into the entire process with real-time monitoring capabilities will also help with incident response times. When performing threat modeling, organizations should identify critical assets, paths of attack through the application layers, data flows across processes/networks, and user access.
Here is a list of some important things you should consider when thinking about implementing DevSecOps:
Secure CI/CD Pipelines: Start with identifying which code is running where and the build and release pipelines. The important focus here is to understand how applications are built and deployed. Understanding the process of how the source code of an application is built, tested, and deployed creates a catalog of the tools and processes being used. The catalog is then used to identify gaps, such as when application security testing, code scanning, automated testing, and other actions take place if it does.
Additionally, bottlenecks that are increasing cycle time will be identified. Additionally, understanding the process helps with threat modeling of new changes being pushed through the delivery pipelines. So if something does go wrong changes can be quickly rolled back or a fix can be addressed quickly.
Identity and Secrets Management: IT security professionals have been managing access for years and it’s important not to let that knowledge go down in vain. Organizations should implement standards based on industry specifications (e.g., OAuth, SAML) on how credentials work across all applications and infrastructure. Defining and enforcing the standards helps organizations move toward effective DevSecOps strategies while maintaining compliance with industry regulations like GDPR, PII, HIPAA, etc. A comprehensive strategy to manage access and other critical information (e.g., ports, machine usernames, and passwords, etc.) applications along with data and infrastructure are more secure, and breaches are mitigated. This is especially important when looking to reduce cycle time by providing more secure development environments without compromising speed or agility during the delivery lifecycle.
Container Orchestration and Security: As container and container orchestration (think Kubernetes) adoption continues to grow, adopting DevSecOps security practices is critical to ensure developers aren't creating security risks unbeknownst to them. When containers first started gaining traction, a big misconception was that if an application wasn’t installed in a container it didn’t need any security controls.
We can see from breaches such as Equifax and Uber where attackers were able to take advantage of the "container security blanket". When scanning is done during the build and release cycle and the tools are in place to scan running containers, the breaches can be avoided.
Cloud Security: As organizations move to the cloud, security practices must follow. DevSecOps teams must be equipped with the necessary tools and processes to ensure applications are secure everywhere they run - on-premises or in the cloud. Security should never be an afterthought when moving workloads to the cloud; rather, it should be front and center during the planning and implementation of migrating to the cloud.
Companies that are migrating or planning on migrating have a unique opportunity to evaluate how to implement security, both for access to applications, but also access to infrastructure. A common question we ask is "why does anyone need access to the infrastructure? If the provisioning and automation are done using a platform, then everything is tracked and no one has physical access."
Server Hardening: When implementing DevSecOps security practices, the process to harden servers and other infrastructure components such as network devices must be included using automation. Hardening adds a layer to the automation framework that configures infrastructure using Infrastructure-as-code (IAC) and Configuration-as-code (CaC). Now configuration, settings, compliance guidelines, cryptography guidelines, and security defaults will be in place. Additionally, the layer ensures all patches are applied on an ongoing basis and organizations don’t have unpatched systems or software running across environments.
Observability: With the release of DevSecOps security practices, organizations need to be able to detect and respond quickly to any incidents. This is where observability comes into play as it can help identify issues with applications and infrastructure before they turn into breaches or impact performance or end-user experience.
Monitoring all aspects of a system - from containers and hosts to application performance data - teams can get a better understanding of trends and respond. This includes resource optimization, network throughput, usage of storage, monitoring for un-approved changes, monitoring the impact of changes, and more. The more information teams have, the more prepared they are to make proactive and reactive decisions.
Key Takeaways for Implementing DevSecOps Today
To be successful in today's digital economy, organizations need to implement DevSecOps security practices. This requires a shift in how security is approached by integrating it into the development and operations process. Security should be front and center during the planning and implementation of any initiative - whether that's migrating to the cloud or adopting new technology paradigms and technologies such as cloud-native and microservices - not an afterthought.
DevSecOps doesn't only apply to the development teams, it applies to the infrastructure teams as well. Every aspect of IT that is required to build and run an application, until the day the application is retired, must be involved in the DevSecOps process. Without doing so, organizations are perpetuating existing security risks and won't experience a reduced cycle time.