In this post Clearvision, an Atlassian Platinum Solution Partner specialising in supporting enterprises in digital transformation, explores the topic of DevSecOps – a mindset that makes infosec everyone’s job.
While DevOps – the concept of removing barriers between development and operations so teams can release more reliable software more rapidly – has grown hugely in popularity over the past ten years, some are still resistant to the change DevOps can bring to an organization.
There are a number of compelling arguments in favour of the DevOps mindset. The numbers speak for themselves:
- 46x more frequent deployments
- 96x faster mean time to recovery
- 5x lower change failure rate
- 440x shorter lead times
Statistics via 2017 State of DevOps Report
In spite of this, though, many organizations looking to adopt a DevOps culture come up against objections from information security and compliance teams.
There’s a common view that as business demand for the continuous delivery that DevOps facilitates grows, traditional security processes become something of a hindrance. Sonatype’s recent DevSecOps Survey revealed that 59% of organizations believe that security inhibits DevOps agility.
This is because often, traditional information security practices come too late in the software development cycle. The risk is that security processes will be inconsistent or, worse still, overlooked in the drive to release more often.
But if those releases aren’t secure, end users suffer. So how do security teams navigate the organizational changes of DevOps?
Infosec + DevOps = DevSecOps
“Information security as everyone’s job, every day” – The DevOps Handbook
It’s when infosec is developed as a silo outside of development and operations that a dangerous disconnect between security and development is likely to occur.
But the modern technology organization does not have to be this way: as IT organizations move from a traditional ops environment to DevOps architecture, they’re rethinking how their teams work. Cross-functional teams are increasingly common, and this is where we see DevSecOps – the idea of embedding security priorities, infosec skills,and security-oriented testing throughout the software development life cycle. DevOps is fundamentally about communication between development and operations occurring early and often; DevSecOps brings security into the collaborative mix as well.
“This isn’t a situation where having one team succeeding means another has to falter – rather it’s a perfect ecosystem for collaboration. Security is the responsibility of every individual in an organization and should never supersede the object being delivered. It should be an attribute.”
– DJ Schleen, DevSecOps Evangelist – Sonatype DevSecOps Survey 2017
As with any cultural change, this is all easier said than done. There are numerous ways to work towards building a collaborative, integrated culture, and of course the nature of DevOps and continuous improvement means that even those organizations already practicing DevSecOps have the potential to achieve more.
This was the subject of a recent Clearvision webinar series exploring the challenges and best practices of deploying Atlassian applications such as JIRA Software and Bitbucket at enterprise scale For this we worked with our partner Sonatype, creator of the DevSecOps Survey, to delve deeper into DevSecOps and explore how this helps build quality and security into production. You can watch the full webinar on YouTube, but here are some high-level tips on how to integrate information security into your dev and ops teams.
Involving infosec earlier in the software development cycle is a top priority for many organizations. Automation allows teams to bring security in right at the design / architecture phase, as well as development, during QA, prior to release, and throughout production. Teams using Atlassian Bamboo for continuous integration can avoid security testing becoming a process blocker by working with tools that allow API integration and self service, so that feedback loops are tightened and “shifted left” to inform developers almost immediately, not just security testers at a later stage. DevOps best practices absolutely imply making secure coding and releases more manageable, with a better flow of information and faster time to delivering safe and production-ready applications.
Infosec from all angles
By incorporating infosec at all stages of the software development lifecycle, teams are able to analyse their security objectives from all angles, from the production environment to user experience. This thorough, collaborative approach reduces security risk and can even help developers begin to write more secure code.
Examine the software supply chain
“Confirmed or suspected breaches related to vulnerable open source components increased nearly 50% from 2014 to 2017. Yet, during the same period, the percentage of organizations governing the use of secure components remained the same.”
– Derek Weeks, Sonatype – Sonatype DevSecOps Survey 2017
This is a big one for security and compliance. Although 80% to 90% of modern apps consist of assembled open source components, almost four out of ten organizations run without an open source policy.
Sonatype points out the scale security concerns this can lead to in The DevOps Handbook:
The typical organization relies on over 7,600 build artifacts and uses 18,600+ different versions. Of these, 7.5% have known vulnerabilities, and 66% of those vulnerabilities are over two years old and remain unresolved.
This is why the software supply chain is key to security. Effective security of the software supply chain comes down to dev, ops, and infosec teams alike, and is a prime example of why collaboration and communication is absolutely essential.
DevOps doesn’t mean leaving security behind. When it’s done right, DevOps will incorporate security at all stages, and in fact can be one of the most effective ways to integrate information security at all levels of your organization.
Interested in learning more about overcoming security challenges in a DevOps organization? For more details and examples, don’t miss Clearvision’s webinar, which you can now watch on demand. We worked with Sonatype, a leader in the DevSecOps community and publisher of the annual DevSecOps Survey, to bring you a webinar exploring the patterns and practices exhibited by 3,000 high-performance software development organizations.
Watch ‘Build Quality into Production – Managing the software supply chain’ from Ilkka Turunen, Solutions Architect at Sonatype, on demand: https://www.clearvision-cm.com/blog/enterprise-performance-scale-webinars-on-demand/?utm_source=infosec&utm_medium=referral&utm_campaign=event-2017-infosec-europe