DevSecOps: Mission-Critical to Enterprise Resilience

This blog was originally published by Coalfire here.

Written by Caitlin Johanson, Director, Application Security, Coalfire.

Whatever tolerance we had for failure has been turned upside down in the cloud. The consequences, never greater. So, what’s the solution? Nothing is more important to enterprise sustainability than the modern discipline of building security directly into the software development lifecycle.

The cloud’s impact on the speed of development, combined with an ever-expanding attack surface, compels CISOs and InfoSec professionals to adopt steeper, faster learning curves and new AppDev best practices. The top takeaways for achieving a secure reality from the report are:

• Inject security from the outset of all software development
• Embrace the mindset that attacks are inevitable
• Build executive buy-in by tracking business KPIs (not just security metrics)
• Perform threat models to mitigate risks before writing any code

Modern development discipline

The increased risk exposure and expanding attack surfaces in hyperscale, multi-cloud environments have virtually eliminated the margins of error we used to take for granted. With the commercial gains achieved from the cloud’s ability to reduce IT friction, there’s no turning back.

Most product development teams aren’t used to the continuous creation and destruction that cloud workloads deliver, but they should be. Our challenge is managing a constant emergence of risk, while taking full advantage of the cloud’s transformational security capabilities.

Security must be injected into the first sprint, and within every scrum and epic thereafter. The cloud is driving the final leftward shift to a best-practice methodology of DevSecOps, and continuous integration and deployment of security into development lifecycles.

Embedding security into the secure development lifecycle (SDLC) – elements of success:

• Executive buy-in/support
• Dedicated application security resources
• Shift-left security (DevSecOps)
• Defined secure coding standards
• Secure SDLC maturity roadmap
• Application security testing gates
• Cross-functional communication/collaboration

There’s no future of safe spaces – attacks are inevitable. We must operate under the constant, urgent momentum of detection and response.

Executive buy-in

The reality is that the perception of risk is more differentiated than the risk itself. CISOs should develop their intuition in this regard and be able to clearly articulate to executive leadership why their risk needs to be prioritized, show how to integrate those priorities at the forefront of product lifecycles, and make the case for provisioning and budgeting security into the product development process.

Common characteristics among threats to business:

• Continuity after disruption
• Privacy protection
• Stock price/market value
• Ransomware
• Logistics
• Supply chain
• Sketchy/superficial vendors
• Stolen trade secrets
• Nation-state actors
• Brand reputation

Best metrics for AppSec program success:

• Number of High/Critical vulnerabilities found in the development process
• Number of High/Critical vulnerabilities found in production
• Recurring vulnerabilities found in the development process
• Number of incidents/service disruptions caused by security issues

By conducting a stakeholder review, business priorities will rise to the top, which helps set precedent and prioritization for identifying development lifecycle vulnerabilities and managing against their perceived threats.

Threat modeling and DevSecOps architecture

While threat modeling is the key to integrating security into development lifecycles, it’s also where most corners get cut. Threat modeling is thinking through an entire system, then mitigating any possible threats before writing the code. DevSecOps instills the demand for continuous risk prioritization, security scanning, testing, and remediation.

Repeating the secure product mantra brings home the point and sets the tone for what happens in the cloud: everything scales. Continuous, dynamic development across the enterprise is the new norm. This approach trickles down to help establish protocols within software development teams, making security checkpoints foundational to code development.

When it comes to secure development – like the 88 keys on a piano, there are millions of sounds and inflections that can be produced. Though incalculable, there’s still a limited framework that a musician must work within.

Threats can be modeled, but not all can be accounted for. Intuition plays a vital role in strategic risk management. Logical thinking, feeling, choosing, and playing the right notes work together to secure the development lifecycle, and the lifecycle of the organization itself.

Check out the full interactive experience of smartest path to DevSecOps transformation to gain more insights.