Five ways to integrate DevSecOps principles into your digital teams03/03/2021
As the coronavirus pandemic continues to disrupt global health, economic, political and social systems, there's another unseen threat rising in the digital space: the risk of cyberattacks that prey on our increased reliance on digital tools and remote operations. A heightened dependency on digital infrastructure raises the cost of failure and during the pandemic, cybercrime has risen by more than 31%.
This is why we want to talk about DevSecOps - a burgeoning discipline that injects security into the DevOps process, providing a structural assurance that code and assets will be designed with security in mind and not delivered at the end of delivery cycles.
As part of a recent live roundtable event, we invited the following DevOps and Security professionals to share their top tips for introducing a security first approach to digital team management:
Dave Edwards, Applications Director at AJ Gallagher
Neveen Elasar, Platform Engineer at Sparta Global
Osama Abu Oun, Cybersecurity Trainer at Sparta Global
- Think security first.
“I would argue it should be SecDevOps! Security should be the first consideration – before anyone starts developing new projects or programmes,” Dave Edwards.
Technical teams are tasked with continuous innovation where developing and improving systems faster is often the measure of success, but security cannot be seen as a drag to delivery. It is essential to be fast and efficient, but security cannot be where shortcuts are taken.
Taking pre-emptive measures and preparing for the worst-case scenario is a necessary security process. The COVID-19 pandemic and remote working rush has certainly solidified this notion for technical business leaders such as Dave.
“We had to move our entire workforce to remote working in the space of one weekend and security certainly could have been better. I mean that in the sense that our individuals and devices weren’t set up for remote working with immediate effect and for the length of time we have experienced. It took time to rectify this and if I could go back, I would have ensured that people and processes were in place for this scenario and that everything was standalone secure from the outset”.
- Think like a hacker
“For someone to cause havoc – they only need one way in”, Osama Abu Oun.
Fully protecting a company’s data is no easy task. Dan Chenok, a former chairman of the Information Security and Privacy Advisory Board for the U.S. National Institute of Standards and Technology, has asserted: “The only way to 100% protect yourself from attacks is to turn off your computers.”
Osama argues that there are steps we can take; “organisations want to reduce the risk of external hacking attacks, they need to understand the hacker mindset, comprehend the expertise of successful hackers and anticipate and confront attacks.” Companies such as Facebook Inc. and Microsoft Corp have hired hackers, but research suggests that hackers’ attacks typically follow a predictable pattern: identifying vulnerabilities; scanning and testing; gaining access; and maintaining access. Align your own security process to these steps and beat the hacker threat before it materialises.
- Tool up!
Securing a network can seem overwhelming and rolling out cybersecurity responsibilities to all teams – in the way that DevSecOps encourages as a discipline - can be complicated. However, network security tools can assist greatly in securing your monitoring IT environment.
Platform Engineer Neveen Elasar who is currently working with one of the UK’s leading insurance providers, now works in the Cloud. This, Neveen points out, provides just another layer of protection across the IT environment; “With working in the Cloud, security of your hardware and software can be managed by your cloud provider too and it’s so important that security like this is continuous and consistent, never an afterthought.
Scanning tools can also be used to identify vulnerabilities in infrastructure and code early on – giving teams the opportunity to fix bugs and improve security in areas that could causer larger and more damaging issues in the future.
- It has to be a team effort
To truly integrate DevSecOps principles into your team and organisation, everything must be treated as vulnerable and therefore can be made more secure. Anything that is built or deployed must be done so in a secure manner.
While large organisations are likely to have expert cybersecurity professionals operating internally, its no longer the sole priority of IT security teams to protect a businesses IT infrastructure.
Security is ubiquitous – having experts is important but they need to spread their knowledge. Organisations should consider forming a community of practice where all teams outside of the traditional scope of security can learn best practice from their peers.
- Implement tools incrementally – make big changes, but not all at once
In an ideal world, developers are also security engineers and will build appropriate risk-mitigation features into their software applications, as well as follow appropriate procedures and apply policies to mitigate potential risk. This is the difference between a DevOps led team and one which integrate DevSecOps, but the change cannot be rushed.
As important as it is to make immediate moves towards operating and maintaining a secure IT infrastructure, team-wide shifts in process and the introduction of new tools cannot all be done at once. Tools should be implemented incrementally to ensure adoption and validate that security risks are being addressed.