DevOps reflects a team sport mentality; work together relying on each other’s strengths to be better, faster, and to beat the competition. But cybersecurity professionals are often left out of the game. Being agile and getting an edge on time-to-market for a new product or fix is how corporations win the innovation game. But the innovation win comes at what cost? Sacrificing security to release software faster isn’t fair play.
DevOps is a blanket term for a culture of collaboration between development and operations engineers through all stages of the product or service lifecycle – from design to production support. DevOps as a platform increases business innovation and scalability, and can include system administrators, release and network engineers, operations staff, database administrators, and quality assurance staff. Who DevOps should include, and often still doesn’t, are cybersecurity specialists. Cybersecurity still remains largely siloed in modern business models. A study found that in 60 percent of organizations, cybersecurity was not being integrated into DevOps processes.[i]
Time to Market Breeds Insecurity
In a survey of developers, 48 percent admitted that they don’t have enough time to spend on cybersecurity.[ii] This is often due to the fact that cybersecurity isn’t as sexy as a shiny new application and is actually viewed as a speedbump that slows the road to progress. To further this, 68 percent of security professionals are told to do everything possible to not slow business and releases down.[iii] According to Threat Stack, over half of companies sacrifice security for speed.[iv] In addition, they found that 57 percent of operations teams do not follow cybersecurity best practices.[v] It’s no wonder with statistics like this that cybercrime rates continue to rise – up 11 percent last year.[vi] If cybersecurity continues to be siloed, then this number will only increase.
A 451 Research Report concluded that “Even though the popular view is that security slows down software releases, we believe organizations can actually reduce risk and save themselves rework headaches and time by considering and injecting security early in the process and choosing security tools and elements that can be integrated and automated. This means integrating security at code commit and in pre-implementation processes, something our survey indicates is lacking for most organizations.”[vii]
Putting a focus on security over development should be every teams’ priority. But, if pressure to place speed above all else comes from the top-down, instead of prioritizing cybersecurity, teams will cut back in order to make management happy. Threat Source reported that 52 percent of those surveyed admitted to cutting back on cybersecurity measures in order to meet deadlines.[viii] As well, 44 percent of developers admitted to not knowing how to code securely.[ix] Scanning for malicious code needs to be done throughout the development process as hackers often will try and sneak in a line of malicious code to act as a backdoor at this time. Excluding a security professional from the creation process weakens the end product.
A Culture of Security
It starts with creating a culture of cybersecurity, where security is seen as a fundamental corporate value not an add on or afterthought, or even worse, an inconvenience to be bypassed. Educating employees about cybersecurity best practices is a cornerstone of creating a culture of cybersecurity and would help to decrease the currently 42 percent of operation teams that are not properly trained in cybersecurity measures.
During the development phase, applications are regularly tested for functionality, ensuring the app operates as designed. However, if developers do not test for cybersecurity vulnerabilities then the end product will not be secure. A launch of an insecure app can be detrimental to a brand and difficult to bounce back from. Companies invest large quantities of money and people hours into development. Having an insecure or unusable end product is just throwing that money, and brand reputation, away. That’s why it is vital to create a culture wherein DevOps and cybersecurity teams work together throughout the development process to properly secure applications.
Current reactive cybersecurity measures aren’t working. The increases in cyberattacks are proof of this. Corporations need to take a “secure by default” position, that accounts for and integrates cybersecurity from the beginning.[x] The adoption of security measures into DevOps, under the moniker DevSecOps, depends on properly creating and fostering a security culture across the entire organization. As with any new process, companies will need to establish outcomes and metrics concerning their cybersecurity initiatives to make sure all teams are aligned on cybersecurity goals. Metrics to be tracked can include cybersecurity flow, resilience and cyber risk reduction.
Keeping Security Siloed Isn’t Working
Cybersecurity is an organizational issue and developers need time and support to work on cyber issues. This means treating cybersecurity as you would any other bugs in the system by making time in security design, writing security tests, or inserting security instrumentation to provide visibility in production. Making security a focus in-process works. According to Gartner, 60 percent of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures.[xi]
In a recent global survey, which included respondents from Canada, conducted by Trend Micro, 71 percent of respondents said they’d like to see more participation by cybersecurity in DevOps initiatives.[xii]That number shows promise that perhaps the DevOps and security silo will be broken down. In another survey, when asked when application security testing should be integrated with CI/CD workflows, the percentages of “when developers commit code” and “on the fly while coding” were both quite high at 67 and 44 percent respectively.[xiii]However, only one-third of respondents said DevOps is a shared responsibility between developers and IT which suggests that currently the security team is still being left out.[xiv]
DevSecOps shouldn’t be a buzzword – it should be a business imperative. To innovate securely, create a three-pillared collaborative culture by putting the Sec in DevOps. Cybersecurity professionals can help make sure both the product and the deployment pipeline are safe. The key takeaway “is that no single person or team can or should be responsible for security in CI/CD releases. In these environments, the continuous and constant flow of code, data and activity means all stakeholders need to be involved in securing the process.”[xv] To ensure a safer end product and a more cyber secure market, take a shift-left approach to cybersecurity and make it a priority early in a product’s lifecycle.