The way software is built and shipped is changing. As companies move to the cloud, they reap the rewards of scalable computing environments and cloud-native tools to enable more rapid development. As part of this acceleration, the DevOps philosophy has helped fuse Operations and Development teams to streamline the software development lifecycle (SDLC).
DevSecOps takes this approach even further — it de-siloes the SDLC by shifting security left, typically with increased security automation and programmability. But DevSecOps is more than just tooling — it’s about the mind shift necessary to embrace a culture of security, explains oak9 Co-Founder and Chief Product Officer Om Vyas.
Inserting security earlier in the software development and deployment process is critical to spot bugs and vulnerabilities early on. Especially with the spotlight on supply chain exploits, organizations must ensure all their dependencies are stable and secure. I recently met with Vyas to discover why DevSecOps is crucial to a holistic cybersecurity strategy. According to Vyas, today’s cloud-based IT requires a new operational approach to ensure security at scale, and this is where DevSecOps shines.
The Cloud Requires Repositioning
Although AWS, Azure, and GCP have been around for a while now, the fact of the matter is that most enterprises are still early on in their cloud transformations. A study by McKinsey & Company found that, on average, companies are only 20% of the way into their cloud journeys. This is primarily due to the need to support legacy, on-premise workloads as long as they are economically viable.
Making a meaningful cloud transition is the key differentiator to ongoing digital transformation, according to Vyas. And as organizations phase into cloud computing, it won’t be enough to apply the same old processes. “It’s not enough to just take on-premise data centers and lift and shift,” said Vyas. The cloud model is different, and traditional IT Ops accustomed to managing their own compute environments will require training on how to govern it.
DevSecOps Meets Nuances of the Cloud
The second stage of cloud maturity, according to Vyas, is taking advantage of cloud-native capabilities to realize the full benefits of the cloud. Once in the cloud, teams can utilize automation to move much faster than on-premise and virtual machines. With serverless computing, less manual legwork is required — an engineer can instantly spin up an instance in a GUI console and scale resources to the application’s requirements.
“This starts the acceleration of development,” said Vyas. “But it becomes critical for an organization to think about how to manage this velocity and how to operationalize it by building governance and security around it.” In the cloud, things move fast. As teams operate with more velocity, they run the risk of introducing a new kind of chaos if guardrails aren’t in place.
A mere five years ago, it was more commonplace to push security reviews to the end of the development process, says Vyas. Nowadays, this just isn’t as relevant. Amid more frequent, continual updates, a shift is required — security must be integrated into how we deploy. “That’s where the DevSecOps piece really comes into play. Security has to be built into the DevOps model.”
Unique Threats and Vulnerabilities of the Cloud
So, what unique vulnerabilities does a cloud transformation pose that DevSecOps must consider? For one, the surface area can be massively larger than on-premise IT, says Vyas. Really, any plug-and-play feature offered by a cloud service provider (CSP) could be vulnerable to internet access. The pervasiveness of misconfigured S3 buckets is a perfect example of how cloud-based computing can be exposed.
This issue increases as the number of configurations an organization must maintain rises. Hundreds of features and services may contribute to supporting an application in the cloud, describes Vyas. With this amount of complexity, it becomes more complicated to oversee roles and policies for all these components. Furthermore, CSPs provide different flavors of the same services, meaning that there are even more nuances in a multi-cloud environment. Although CSPs are getting better at setting secure defaults, the continual churn of feature updates on these products becomes difficult to oversee at scale, says Vyas.
Lastly, cloud transitions inherently involve a lot of open-source software (OSS). Even if fully-managed cloud-based services are adopted, they will often incorporate OSS into their fabric. “We’re a big proponent of open-source,” says Vyas. “The community is driving a lot of the capabilities and innovation. However, it’s a double-edged sword.”
Open-source packages are increasingly prone to supply chain attacks and vulnerabilities. And when an exploit is discovered, you are then reliant upon the community to issue quick updates. Thankfully, industry bodies like The Linux Foundation are standardizing credibility for open-source projects, which is good news for large enterprises that tend to favor open-source with a lot of governance, says Vyas.
DevSecOps For The Composable Cloud
Boundaries are blurring in the cloud. And as IT shifts into this new paradigm, new threats emerge. Nowadays, it’s no longer just the application and data that might be exposed, but the infrastructure and storage itself could be exposed too. Greater visibility and awareness, as well as security automation, will be necessary to keep up with the pace of change.
According to Vyas, DevSecOps is one answer to incorporating a security focus into continuous software deployments. It’s how you automate things like policies, governance, and compliance to bring a high level of engagement to the AppDev community. This will also require a culture of blameless retrospectives and the ability to translate high-level requirements to developers.
“The more educated the DevSecOps practitioners are, the easier it is to build and operate within the guardrails of cloud automation. It’s not just about policies or governance — you have to think about it holistically.”
Think of the cloud as lego pieces — components can be easily assembled to build whatever you want to build. Some also call this the composable enterprise model. But now that it’s so easy to assemble software ecosystems with prefabricated pieces, what are the security ramifications of that agility? “A true DevSecOps model is required to think about all that upfront,” said Vyas.
Otherwise, your hastily assembled Lego tower might crumble under pressure.
Want more cybersecurity insights? Visit the Cybersecurity channel: