The technological innovations of recent years, in particular the ability to deploy infrastructures in the cloud very quickly, have highlighted the limits of traditional waterfall software development methods, based on a sequential succession of predefined stages.
This has led to the emergence of agile methods and the DevOps culture, marked by shorter production cycles, automation and the attenuation of the historical divide between development teams (Devs) and infrastructure administrators (Ops), summed up by the famous motto of Werner Vogels, CTO of AWS, "you build it, you run it".
Companies that have successfully adopted this cultural change have managed to significantly reduce their "time to market", by deploying their software products with a speed that was previously inconceivable.
However, this increased speed has introduced new challenges for application security: how can vulnerabilities be avoided while ensuring several deployments per week or even per day?
We believe that the recent DevSecOps approach is the right way to meet this requirement.
Here are the 3 areas we believe to be the most important:
Shift security to the left
It is universally accepted that the effort of securing an application after the fact is extremely more costly than integrating security requirements from the outset. So there's no debate about the need to integrate security from the outset (on the left of the time axis), but how do you go about it in practice?
Bringing a security expert on board every development team is costly and not easy. scalable. On the other hand, the security team (when there is one!) can be too risk-averse and abuse its power of veto, causing undue delays in deployment.
DevSecOps offers these practices:
- Train coders in secure development, for example by drawing on the wealth of material made available by the Open Web Application Security Project (OWASP);
- Facilitate communication between Devs, Ops and Security, for example through information-sharing sessions, conferences and collaborative workshops;
- Promoting safety as a state of mind and a corporate value.
Automate security checks
Security controls must be implemented throughout the code lifecycle, in other words in the continuous integration and delivery pipeline. The panel of automatic tests must be enriched by security-related tests, ideally by integrating static and dynamic code analysis tools. We have recently seen the emergence of the term Test Driven Security (TDS), inspired by the better-known Test Driven Development (TDD).
The risk at this stage is that false positives will multiply; it is very important to control the number of false positives through tuning, so as not to wrongly delay deliveries... speed of delivery being the sinews of war!
The generation of security-related metrics goes hand in hand with this automation effort, and provides the KPIs that are essential for communication with business managers.
Appointing safety champions
As mentioned above, it is not viable to position security experts in each development team: the approach recommended by DevSecOps is to promote security champions among the members of the Dev and Ops teams. These "champions" should become the relay for the security team, through a process of awareness-raising and training.
Their responsibilities may include the following:
- Decide when to ask for expert safety advice
- Leading code reviews (Dev) and configuration audits (Ops)
- Coordinating threat modelling
- Raising awareness of good safety practices among colleagues
It is important to point out that these new security practices do not eliminate the importance of carrying out regular application intrusion tests and equipping yourself with a log analysis and correlation system (SIEM), ideally administered by a Security Operations Centre (SOC).
By Giuliano IPPOLITI (CISO and Western France Director at Cloud Temple)