You are here

RSA Conference 2016: Application Security moves into the DevOps era

public://pictures/Juan C Perez photo1.jpg
Juan Carlos Perez, Writer, Freelance

As information security stakes reach stratospheric levels due to massive, frequent and brazen attacks, many IT security managers are weighing whether DevOps can improve applications’ protection against data thieves.

Given this confluence, it’s no surprise the topic has gained prominence in conferences like RSA, which last year added “DevOps” to the title of its long-standing Application Security track. The discussion continued at this year’s conference, which included the all-day “DevOps Connect: Rugged DevOps” event and the “DevOps Throw Down” session.

Proponents of the so-called DevSecOps maintain that by integrating IT security pros into a unified team with developers, operations admins and testers, they’ll be able to check for vulnerabilities earlier and more frequently during application development and deployment. With increased communication and collaboration, security knowledge will be shared outside of that team, for the benefit of developers, ops and testers, according to DevSecOps backers.

However, others worry that inserting security into DevOps' way of working may actually weaken security, since it requires a reorganization of the application security process by forcing it to be more iterative and faster. Since DevOps is more of a philosophy than a method, there is no standard way of adopting it, which sometimes leads to derailed implementations. Lack of understanding about DevOps, or skepticism about its potential benefits, can create friction with an organization’s security team.

[ Get up to speed fast on the state of app sec and risk with TechBeacon's new guide, based on the 2019 Application Security Risk Report. ]

It’s simpler for smaller teams to do DevSecOps

Damon Edwards, founder and managing partner of DevOps consultancy DTO Solutions, notes that, as is often the case with DevOps in general, small startups have an easier time integrating security into the DevOps process. “In larger organizations it’s more of an issue because security is more centralized and viewed as more of a hurdle to get past or a box to check to check at the end, versus something you build in early in the application lifecycle,” says Edwards, who participated in the “Rugged DevOps” event.

This creates a reference problem for DevOps in general, and for its intersection with security, according to Shannon Lietz, Director of DevSecOps and of Security Engineering at Intuit. “DevOps is still early days. Most implementations are grass-roots and there are very few companies to point at as beacons,” says Lietz, who served as moderator of the “DevOps Throw Down” session, which featured three panelists.

“The companies making the transformation are head-banging their way through skill changes, process issues, and a lack of technology to solve their problems." --Shannon Lietz

Yet, DevSecOps can give companies a serious competitive differentiator that leads to safer software sooner, says Lietz. “This is what makes DevOps so truly potent and something to chase as quickly as possible."

[ Is it time to rethink your release management strategy? Learn why Adaptive Release Governance is essential to DevOps success (Gartner). ]

DevSecOps testimonial, product

There was at least one major case study for DevSecOps slated for the conference: Officials from a cybersecurity subsidiary of BBVA were scheduled to speak on Friday about the Spanish bank’s adoption of “Security as a Service” and DevSecOps.

According to a description of the session, DevOps and continuous integration are “the new normal” at BBVA, so the subsidiary, called Innovation 4 Security, has devised a security-as-a-service approach that covers the entire lifecycle, “from secure development to deployment of security products and their operation with a platform called Chimera.”

“SecDevOps is part of our culture now,” reads one of the presentation’s slides.

Meanwhile, startup Signal Sciences launched a web application firewall at the conference that it says is specifically designed with DevOps teams in mind. The company built the product “in response to our frustrations of trying to use legacy WAFs (web application firewalls) while enabling business initiatives like DevOps and cloud adoption,” the company says.

Shift left for DevSecOps

The key to making security part of the DevOps process—along with development, operations and testing—is to “shift left,” Edwards says. By this he means to start security probes early in the development and deployment process, instead of making security a one-time checkpoint through which applications pass once they’ve been built.

“Security must go from being a gatekeeper to being something that’s done early and often.” —Damon Edwards

Along with this, security pros must change the vision of their mission away from one in which they get one shot at attempting to proactively prevent 100 percent of software vulnerabilities. Rather, the DevOps mindset is one of continuous improvement, where instead of a priori perfection, the goal is to learn incrementally so that mistakes are identified quickly and early, corrected, and not repeated, Lietz says.

Move to security as code

Software-propelled automation is a cornerstone of DevOps for development, deployment, operations, and testing. Security can’t be an exception, says Lietz. If a company has a DevOps approach to software development and delivery, but the security team isn’t part of it, it won’t be able to keep up with the increased speed and frequency of code releases. “Enterprises can scale their security practices by embracing DevOps and transforming security into consumable services,” she says.

Security teams must build and test their own tools to understand the weight of the processes and controls they develop.  “But most importantly, an enterprise can significantly gain by reuniting the silos typical of most complex security programs,” Lietz says.

There’s work to be done

While DevSecOps is a topic that’s very much on the table, enterprises don’t seem to be completely clear about it, judging by the conversations, comments and presentations at this year’s RSA, Lietz says. “A majority of the talks have touched on or mentioned DevOps but don’t fully explore what it means in terms of change. There is still confusion about how security professionals fit into DevOps.” 

[ Get Report: Buyer’s Guide to Software Test Automation Tools ]