Scaling security through DevSecOps & dev-first security

January 21, 2020 | in DevSecOps
| By Guy Podjarny

Snyk closes a $150M funding round! Read more from our CEO

Digital transformation is not a buzzword – it’s a force. Practically all businesses, big and small, seek to make technology their core and to accelerate their ability to adapt to the market. And yet, as entire enterprises seek to reshape themselves to meet these new challenges – security stays behind. 

Security practices remain unchanged from the ones used two decades ago. These practices keep security teams separate and uninformed, resulting in insecure applications as others run past them. They put security teams in the critical path, slowing things down when everybody else tries to go faster. And they require cybersecurity talent to magically appear as the digital business grows, despite over a decade of severe talent shortage. 

This is not the path forward. We need a new approach to security, one based on the new reality, not a slight modification of what we did last year. I believe this approach is dev-first security, and hope this post will get you thinking the same. 

If we’re going to base our approach on the new digital reality, we first need to understand it – what are the key changes that take place during Digital Transformation, and what is their impact on security? We’ll break it up into three main changes: Digital Business, Cloud and DevOps. 

Digital business: more Software = more software risk

At the core, digital transformation means shifting more of your business to be based on technology. This means using technology to deliver value and innovation you previously provided via physical or manual means. There are many examples, such as moving from stores to online shopping, having robots move warehouse goods around instead of people, or guiding your trading by algorithms instead of brokers.  

When more of your business becomes digital, more of your business risk becomes digital too. Your customers’ data is managed by software, your revenue channels require your systems to be running, and your secret sauces are stored in code repositories. 

Simply put, more software equals more software risk. 

For security, this change means realizing securing a digitally transformed business requires more emphasis on software security. Other risks are still alive and kicking, but as more of the business becomes digital, security must follow suit. Such a change affects the entire security organization, including who the CISO report to, how the security budget is split, what is the security org structure and much more.

Cloud: infrastructure becoming part of the app

Commercial revolutions typically rely on disruptive innovations – and in this case, it’s the Cloud. By turning hardware into on-demand software, the Cloud made it easier and cheaper than ever to add new technology to your business, as well as scale it to customer demand. Creating new apps continued to get easier and easier with new technologies building on these Cloud beginnings, such as containers and serverless. 

This shift raised a question of ownership for this virtual infrastructure stack. At first, the teams managing your own hardware extended to support the virtual one as well. Many practices were similar, such as managing open ports and patching servers and could – in theory – just continue as is. 

In practice, however, the cloud opportunity offered more. Elastic scaling means you can spin up a machine without a process for managing capacity. A VPC (Virtual Private Cloud) means one deployed system is naturally isolated from another, sparing the need for mapping it in the datacenter-wide routing scheme. Cloud lets you drop the interdependencies between applications, letting each make infrastructure decisions faster. Cloud doesn’t just make infrastructure software-defined, it lets it be part of the application

Security-wise, this requires rethinking how to protect against infra-related threats – and who does them. The risks didn’t go away – a container can have unpatched vulnerable components just like a server you own, network access to sensitive data can be overly permissive in either setup, etc. But the people creating and maintaining the infrastructure are no longer central IT – they are application developers. 

DevOps: empowered & self-sufficient teams

The change in infra ownership affects operations at least as much as it does security and played a key role in the rise of DevOps. DevOps preaches having developers and ops teams share responsibility for keeping the applications running and performant. This new mindset counters long-established realities of dev “throwing code over the wall” for someone else to run, and ops getting in the way of change to minimize the risk that comes with it. 

The benefits of DevOps practices, originally theoretical, have since been statistically proven. Companies embracing DevOps have better uptime and performance, lower operating costs, ship applications faster and attract better talent. As a result, these businesses adapt to market and customer needs faster and perform better than their competitors. 

Changing an organization to embrace DevOps isn’t easy, and is a core part of Digital Transformation. It relies heavily on the concept of self-sufficient application teams, who are able to own their applications throughout their lifecycle and move fast without any external dependencies. Alongside them, many ops teams evolved to be “DevOps” or SRE teams, acting as a center of excellence for operations. These teams no longer aim to operate the software themselves but instead support developers with tools, knowledge, and expertise to empower them to be self-sufficient.

Security, however, did not come along for the ride. Security teams stayed outside the DevOps groups, typically reporting to a different leader and operating with entirely different processes. These teams remain outside the information flow, resulting in insecure applications being shipped as the experts do not have the information they need. Furthermore, when Security teams step into audit, they slow down delivery, negating the original business goal. Just to throw some salt on these wounds, security teams are heavily understaffed, a situation perpetuated by the severe talent shortage the Cybersecurity industry is suffering from. 

Dev-first security & DevSecOps

Hopefully, it’s clear by now we need a new approach to security in this digitally transformed world of Cloud and DevOps. The new approach, sometimes referred to as DevSecOps (a powerful but abused buzzword), must be anchored in these new technologies and methodologies, building security into them from within. It needs to champion self-sufficient teams and accelerate the business instead of slowing it down. In other words, it needs to be developer-first. 

Dev-first security means the majority of security work is done by developers. This should include the vast majority of security design, security testing, security backlogs and of course remediation, to name a few. Application development teams need to be self-sufficient and able to own these responsibilities, and be trusted by the organization – and the security team – to do so. With such ownership in place, developers can secure their applications as they build it and at their pace

Security teams play a key role in such a change. Just like Ops teams before them, they need to adapt, switching from implementor to mentor, from owner to supporter. Developers will naturally have lower security expertise, requiring security teams to find ways to distribute knowledge, build tools and empower developers to successfully secure their apps by many different means. They also need to continue to govern and monitor security, so they can know their current security state and help both parties get continuously better. 

This is a big change, requiring not just a change in attitude but a change to the skillset within security teams. Justin Somaini, a modern security leader and the previous CISO of Yahoo!, Box, SAP and more, expects as much as a third or half of the security workforce would rotate. The new teams, however, will benefit from being able to put their expertise to good use more often, instead of fighting a losing battle of catch up. 

Last but not least, it requires an overhaul of security tools. It requires security solutions that see the developer as their most important user – even if security is the one signing the cheque. Such solutions should look less like the legacy applications security providers of today, and more like developer tools companies. Over time, such solutions will displace the old guard, as they did for the world of DevOps. 

Summary

Digital transformation is a force, propelling businesses to move faster and faster. Organizations that embrace it, implementing DevOps well and embracing the Cloud, are building a competitive gap in the market, while those who lag behind may never be able to recover. 

However, the journey is not complete until Security joins the ride. As was with DevOps, organizations looking ahead and embracing DevSecOps and a dev-first security approach will see better business results than their peers. Right now it’s a leap of faith – in a few years it will be science.