Why a “Whole Brain” Approach to Secure DevOps Is Critical
Organizations are under constant pressure to remain competitive and increase efficiency. For application developers in DevOps teams, this means functioning like a factory — leveraging the agile and iterative nature of the DevOps methodology for quick application development.
Typically, DevOps teams are a combination of application developers and business operations resources that exist within the IT organization. These teams are creative experts (think right-brain innovators) and are highly effective at designing and developing and applications and continuously improving them through iteration and leveraging DevOps tools.
These resources collaborate on the latest organizational models and CI/CD techniques to get applications into market as quickly as possible to meet urgent business requirements.
While application development tools and techniques emphasize rapid development and iteration, the DevOps methodology does not organically include security oversight — it is not engineered for SecDevOps. Due to this, InfoSec teams (typically analytical, process-driven left-brain types) often are unaware of new applications being deployed — applications that can sometimes carry vulnerabilities into the field where they are discovered too late.
This recently happened in the industrial controls systems (ICS) industry where the consequences of the lack of application security in DevOps came to light when several applications were deployed but not properly secured. The result of this is that a large European ICS vendor became the victim of a zero-day malware attack that allowed remote access to Trojan viruses that, in one manifestation, enabled the shut down of an entire power plant. The root of the problem was the fact that the security team was not aware that new ICS applications were being deployed and unfortunately, the vulnerabilities were found the hard way.
Changing the way DevOps is wired
Of course, introducing security risks are not an acceptable cost of increased application development speed and efficiency. Which is why many DevOps organizations are modifying their team’s approach to a Secure DevOps methodology in order to make security a more integral part of the DevOps methodology. However, it is necessary to understand how the roles currently operate and need to change in order to succeed.
The major obstacle to achieving SecDevOps stems back to the left brain versus right brain analogy. DevOps teams are driven by the right brain and the need to be creative, continuously seeking innovation in order to improve business operations. These teams design and build applications to meet specific business requirements, and they are comfortable with some degree of risk as a tradeoff to the new functionality they have delivered. Yet, as talented as these teams are, they are not security experts and building advanced features, like encryption, into the application is outside of their realm.
Their left brain counterparts, the InfoSec teams, on the other hand, are analytical and adhere to carefully managed processes with the goal of safeguarding the organization’s infrastructure and data. A critical piece of this would involve testing and verifying all applications in a more traditional gate process. For example, product iterations would be checked for vulnerabilities, especially if open source code is leveraged before they can be run against production data. Yet this DevOps security checklist likely will slow the process down – seeming to counter the whole point of fast DevOps methodologies – especially if DevOps security questions or issues arise.
Clearly, DevOps and security teams have very different objectives and are inherently “hard-wired” in contrasting ways to accomplish their specific goals. While it may be challenging for left-brain and right-brain operators to work together, leveraging the benefits of both approaches with a Secure DevOps methodology can lead to a best-of-both worlds outcome. Success should only be recognized when applications that are delivered quickly and securely. Period.
A melding of the minds: The whole-brained approach to secure DevOps
It is important to recognize that integrating information security and application development is more than just creating a series of meetings or a handful of management touch points. There are challenges that must be met and addressed, not the least of which is pushing InfoSec teams to keep pace with DevOps teams driven by the needs of the business.
Additionally, operations must be segmented in order to apply the appropriate security policies and ensure that production data is protected during connectivity — a critical requirement to maintain the integrity of a secure network while potentially vulnerable applications are being tested. Organizations often look for opportunities to insert DevOps security automation techniques into the process so that work can be performed quickly with limited human error.
In the next article about how to achieve a Secure DevOps methodology, we’ll explore four specific best practices top DevOps teams are using to address the need for security while maintaining rapid application development. You’ll see how many companies are successfully implementing a whole-brain approach to secure application development, empowering developers and security teams to do what they do best.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest.
If you would like to learn more about the Secure DevOps methodology, check out our white paper on the subject, “How to Secure DevOps Across Any Environment.”