Decoding DevOps Security: Three Best Practices
By Arijit Banerjee
There’s no denying that DevOps is the new paradigm for application development in today’s fast-paced business environment. However, successful implementation of DevOps is contingent upon confidential data exchange, an increasingly difficult proposition given the growing sophistication of cyberattacks. According to a CyberArk survey, 60% of DevOps respondents revealed they store account details and user credentials in a document on a company computer. Worse, only 46% of the respondents said their security teams are integrated throughout the DevOps process, while 43% admitted to adding the security element as an afterthought - at the end of the DevOps workflow. The report also revealed that only 25% of security professionals say their organisation has a privileged account security strategy for DevOps.
Clearly, DevOps security gaps need serious attention at the enterprise end. Here are three best practices to bolster DevOps security:
#1 Make security a forethought in the software development and deployment process: According to Gartner, 90% of companies using DevOps, treat security as an afterthought. By 2019, however, a predicted 70% of enterprise DevOps initiatives are expected to realise the importance of incorporating security into the foundations of their DevOps practices. Gartner calls this new trend DevSecOps. Integrating automated security testing and compliance right from the early stages of DevOps processes is critical. This helps businesses gain greater visibility and control across the development life cycle, reducing chances of human error and/or something slipping through the cracks. The automated cycle further acts as a closed-loop for quickly resolving testing, compliance and security issues, should the occasional security breach strike an enterprise. While DevOps with its continuous approach of software delivery and updates is often viewed as a threat to enterprise security, when done correctly, it is a perfect opportunity for organisations to strengthen their security posture.
#2 Cultivate an enterprise-wide culture of security awareness: 2017 was the worst ever year for data breaches in history – it recorded an increase of more than 45% in the number of security incidents since 2016. What’s worse – most of these cyber incidents could have easily been prevented had organisations deployed sound security practices. According to the Online Trust Alliance (OTA), 9 out of 10 organisations fall into the so-called low-hanging fruit category for security breaches because they fail to implement basic security hygiene into their DevOps cycle. A healthy security culture begins at the top and trickles down. This involves whole-hearted participation from stakeholders and management who understand the importance of dedicating adequate time, resources, and budget towards safeguarding enterprise assets. According to the 2017 State of DevOps Report, good leadership can amplify the effects of DevOps transformation and IT performance.
#3 Make DevOps testing an ongoing affair: With a function as dynamic as DevOps, continuous penetration testing and code review should become the norm. Organisations must aim for a rolling code review with each deployment cycle, along with a periodic deep dive, to unearth any hidden risks and issues. The trick to getting DevSecOps right is to keep it simple – encourage your staff to develop expertise in the tools and environments they specialise in, rather than pushing them to support multiple disparate platforms. Focus on creating and following a solid written information security plan (WISP), a data incident response plan (DIRP), and any other procedural documents required in your industry or regulatory regime.
DevSecOps is the future
The global DevSecOps market is expected to grow at a CAGR of 33.7% from 2017 to 2023. Besides the alarming growth in data breaches and cyber attacks, the growing demand for next-gen technologies such as AI, automation, IoT and the cloud are driving the DevSecOps market growth. While there are many more DevOps security best practices, the three best practices highlighted here can serve as a helpful starting point for businesses embarking on their DevSecOps journey.