DevSecOps Adoption and the Web Security Myth
Limited Time Offer!
For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!
Source:-devops.com
As DevOps practices have become widespread in the tech community, many people have begun proclaiming the virtues of DevSecOps. As the name implies, DevSecOps is the addition of security into DevOps. Just as DevOps promises better-quality production in less time, DevSecOps promises better security with less time required to achieve and maintain it.
DevSecOps has many benefits. However, many executives are under the impression they canāt embrace DevSecOps across their entire organization.
This idea is false. Most organizations that have already adopted DevOps can, and should, take the next logical step and adopt DevSecOps as well.
āIt Sounds Great, But We Canāt Use It Hereā
Adopting DevOps requires far-reaching changes throughout an organization. Going to DevSecOps can be similarly disruptive. However, internal disruption is not usually the (perceived) problem with DevSecOps.
Instead, the problem is usually the network border. Many executives believe that their current web security solutions are incompatible with DevSecOps.
In many cases, this is actually true. Older approaches to web security are indeed hindrances to DevSecOps practices.
Therefore, the problem isnāt actually with DevSecOps. The problem comes from the security solutions currently in use.
Legacy Security Solutions and DevSecOps
Many organizations are still using appliances (whether physical or virtual) as their primary protection against external threats. A decade ago, appliances were good enough. Today, theyāre a competitive disadvantage.
There are several ways in which appliances are incompatible with DevSecOps:
Programmatic control of an appliance is often difficult if itās even supported at all.
Configuring an appliance can be challenging. It often requires a high level of security expertise.
Rolling out settings and configuration changes across a bank of appliances can be time-consuming and potentially error-prone.
The cost and specialized nature of most appliances make them inconsistent with the DevOps mantra of ācattle, not pets.ā
Physical appliances do not scale.
External-facing applications will be limited in their scaling as well.
Appliances are not designed for ephemeral workflows.
Appliances are not designed to support infrastructure as code (IaC).
Security appliances represent a decades-old approach to security, so itās not surprising they donāt support modern practices. What is surprising is that even many allegedly ācloud-nativeā solutions arenāt built for DevSecOps, either.
For example, some require multiple instances to be launched into your environments. Some require additional layers of management just to maintain consistent configuration among them. Many do not provide good support for evolving architectures and expanding deployments. In general, these security products tend to require significant intervention and management, while lacking automated control capability. This all severely limits the use of DevSecOps.
These appliances and incorrectly labeled ācloud-nativeā solutions are why many executives believe DevSecOps isnāt an option for their organizations. To be clear, these executives are correctāfor as long as they continue to use previous-generation approaches to web security.
Not Just a DevSecOps Issue
Older approaches to web security have other problems that go beyond a hindrance to DevSecOps usage.
For example, appliances are marketed as complete web security solutions, but they cannot actually fulfill this role. Among other things, an appliance cannot defend against a volumetric DDoS. The attack can overwhelm the upstream ISP before the appliance even has a chance to scrub the traffic. This can result in the ISP blackholing all incoming traffic, which makes the targeted site and web applications unavailable to users and customersāwhich is the exact situation the appliance was supposed to prevent.
Solving the Problem
Organizations which are still using older security technologies should re-evaluate this decision. Modern solutions such as cloud web security platforms can provide better protection, along with numerous other benefits. These include full management by the provider, real-time reporting and traffic control, adaptive threat identification based on machine learning and much more.
When organizations continue to use legacy security solutions, they not only prevent themselves from enjoying the benefits of DevSecOps, they are also missing out on many other benefits as well.