Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!
We spend hours on Instagram and YouTube and waste money on coffee and fast food, but wonβt spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!
Learn from Guru Rajesh Kumar and double your salary in just one year.
Source:-searchitoperations.techtarget.com
DevSecOps has gone mainstream as companies bake security automation into app development, but experts say the toughest cybersecurity challenges remain unsolved.
DevOps security processes have matured within enterprises over the last year, but IT shops still have far to go to stem the tide of data breaches.
DevOps teams have built good security habits almost by default as they have increased the frequency of application releases and adopted infrastructure and security automation to improve software development. More frequent, smaller, automated app deployments are less risky and less prone to manual error than large and infrequent ones.
Microservices management and release automation demand tools such as infrastructure as code and configuration management software to manage infrastructure, which similarly cut down on human error. Wrapped up into a streamlined GitOps process, Agile and DevOps techniques automate the path to production while locking down access to it β a win for both security and IT efficiency.
However, the first six months of 2019 saw such a flood of high-profile data breaches that at least one security research firm called it the worst year on record. And while cybersecurity experts arenβt certain how trustworthy that measurement is β there could just be more awareness of breaches than there used to be, or more digital services to attack than in past years β they feel strongly that DevOps security teams still arenβt staying ahead of attackers, who have also learned to automate and optimize what they do.
Adrian Sanabria
βThe attackers have innovated, and thatβs one of the problems with our industry β weβre at least five years behind the attackers,β said Adrian Sanabria, advocate at Thinkst Applied Research, a cybersecurity research and software firm based in South Africa. βWeβre in a mode where weβre convinced, with all this VC money and money spent on marketing, that we have to wait for a product to be available to solve these problems β¦ and theyβre never going to be ready in time.β
DevOps security tools arenβt enough
A cybersecurity tool is only as good as how itβs used, Sanabria said, citing the example of a Target breach in 2013, where security software detected potentially malicious activity, but IT staff didnβt act on its warnings. In part, this was attributed to alert fatigue, as IT teams increasingly deal with a fire hose of alerts from various monitoring systems. But it also has to do with IT training, Sanabria said.
βIn the breach research Iβve done, generally everyone owned [the tools] they needed to own,β he said. βThey either didnβt know how to use it, hadnβt set it up correctly, or they had some kind of process issue where the [tools] did try to stop the attacks or warn them of it, [but] they either didnβt see the alert or didnβt act on the alert.βThe attackers have innovated, and thatβs one of the problems with our industry β weβre at least five years behind the attackers.Adrian SanabriaAdvocate, Thinkst Applied Research
DevOps security, or DevSecOps, teams have locked down many of the technical weak points within infrastructure and app deployment processes, but all too often, the initial attack takes a very human form, such as a spoofed email that seems to come from a company executive, directing the recipient to transfer funds to what turns out to be an attackerβs account.
βOften, breaches donβt even require hacking,β Sanabria said. βIt requires understanding of financial processes, whoβs who in the company and the timing of certain transactions.β
Preventing such attacks requires that employees be equally familiar with that information, Sanabria said. That lack of awareness is driving a surge in ransomware attacks, which rely almost entirely on social engineering to hold vital company data hostage.
Collaboration and strategy vital for DevOps security
Thus, in a world of sophisticated technology, the biggest problems remain human, according to experts β and their solutions are also rooted in organizational dynamics and human collaboration, starting with a more strategic, holistic organizational approach to IT security.
Jeremy Pullen
βTechnology people donβt think of leadership skills and collaboration as primary job functions,β said Jeremy Pullen, CEO of Polodis, a digital transformation consulting firm in Atlanta. βThey think the job is day-to-day technical threat remediation, but you canβt scale your organization when you have people trying to do it all themselves.β
An overreliance on individual security experts within enterprises leads to a βlamppost effect,β where those individuals overcompensate for risks theyβre familiar with, but undercompensate in areas they donβt understand as well, Pullen said. That kind of team structure also results in the time-honored DevOps bugaboo of siloed responsibilities, which increases security fragility in the same way it dampens application performance and infrastructure resilience.
βDevelopers and operations may be blind to application security issues, while security tends to focus on physical and infrastructure security, which is most clearly defined in their threat models,β Pullen said. βThen it becomes a bit of a game of Whac-a-Mole β¦ where youβre trying to fix one thing and then another thing pops up, and it gets really noisy.β
Instead, DevSecOps teams must begin to think of themselves and their individual job functions as nodes in a network rather than layers of a stack, Pullen said, and work to understand how the entire organization fits together.
βEveryoneβs unclear about what enterprise architecture is,β he said. βThey stick Jenkins in the middle of a process but might not understand that they need to separate that environment into different domains and understand governance boundaries.β
Effective DevOps security requires more team practice
Strategically hardening applications and IT management processes to prevent attacks is important, but organizations must also strategically plan β and practice β their response to ongoing security incidents that can and will still happen.
- Beth Pariseau asks:How do you plan to address the human and organizational side of DevOps security strategy?Join the Discussion
βCybersecurity so far has been focused on solitary study and being the best technical practitioner you can be, and building stand-alone applications and infrastructure to the best technical standard, which reminds me of golf,β said Nick Drage, principal consultant at Path Dependence Ltd., a cybersecurity consulting firm based in the U.K., in a presentation at DevSecCon in Seattle last month. βBut in reality, cybersecurity is a fight with an opponent over territory β much more like American football.β
As long as security is practiced by isolated individuals, it will be as effective as taking the football field armed with golf clubs, Drage said. Instead, the approach should be more team-oriented, cooperative, and, especially, emphasize team practice to prepare for βgame time.βThis is the future of governance β controlling risk on the human side of our systems.Charles BetzAnalyst, Forrester Research
American football defenses are particularly instructive for DevOps security strategy ideas about defense in depth, Drage said in his presentation. Among other things, they demonstrate that an initial incursion into a teamβs territory β yards gained β does not amount to a breach β points scored. IT teams should also apply that thinking as they try to anticipate and respond to threats β how to protect the βend zone,β so to speak, and not just their half of the field.
Thinkstβs Sanabria uses a different analogy β the DevOps security team as firefighters.
βWeβre not going to get good at this if we donβt practice it,β he said. βWe buy all the tools, but imagine firefighters if theyβd never donned the suits, never driven the truck, never used the hose and theyβre not expecting the amount of force and it knocks them down. Going out to their first fire would look like a comedy.β
And yet thatβs exactly what happens with many enterprise IT security teams when they must respond to incidents, Sanabria said, in part because companies donβt prioritize experiential learning over informational training.
The good news is that IT analysts expect the next wave of DevOps security to look very much like chaos engineering used in many organizations to improve system resiliency, but with a human twist. Organizations have begun to emerge such as OpenSOC, which sets up training workshops, including simulated ransomware attacks, for companies to practice security incident response. Companies can also do this internally by treating penetration tests as real attacks, otherwise known as red teaming. Free and open source tools such as Infection Monkey from Guardicore Labs also simulate attack scenarios.
Charles Betz
Tech companies such as such as Google already practice their own form of human-based chaos testing, where employees are selected at random for a βstaycation,β directed to take a minimum of one hour to answer work emails, or to intentionally give wrong answers to questions, to test the resiliency of the rest of the organization.
βDespite the implications of the word βchaos,β some companies are already presenting chaos engineering to their risk management leaders and auditors,β said Charles Betz, analyst at Forrester Research. βThis is the future of governance β controlling risk on the human side of our systems.β