DevOps and CD in the crosshairs: A new approach for security in 2017
As we settle into 2017, there’s plenty of uncertainty surrounding the security and privacy of our digital world. Much of this uncertainty stems from the escalating intensity of cyberattacks against consumers and businesses, the evolution of the Internet of Things (IoT) as a weaponized battlefield, and uncertainty as to what impact of the incoming administration will have regarding the government’s position on privacy.
But the shift by attackers from systems to the applications is the bigger trend that should worry software professionals. This threat requires a different approach to security. Here's why.
Hackers zero in on DevOps and CD
Nasty people who want to do ugly things constantly seek out high-value targets that give them the most leverage over victims, with the least amount effort. There’s even a well-known term in certain circles, known as “compromise impact efficiency.”
Continuous delivery / continuous integration (CD/CI) pipelines that are now widely adopted at companies practicing agile development and DevOps are now a huge target. Consider the impact of advanced persistent threat (APT) malware, but applied at the application level, instead of the system level. If threat actors can breach the software development pipeline, they can control your company by subverting its software code and components.
Healthcare and financial services organizations have some of the most valued data, and so are likely to be attacked first. These attacks will be aggressive and very public, so DevOps teams will need to live up to new standards of testing and prevention—preferably harmonizing these operations with existing DevOps tools and functions.
DevOps teams become more critical security players
As distributed computing and TCP/IP took hold in the early 1990’s, the information security world revolved around resource access control facility (RACF) and TopSecret—mainframe access management. Distributed computing and network security had never been issues before, so there were no skilled security practitioners to get the job done.
The result: Network security was owned by the network organization. The same thing happened when web application security became a demand: Web developers were responsible for implementing security controls (e.g. web access management) even though the central information security organization was providing guidance and standards.
Just as network security ownership defaulted to network teams in the 1990s, the same will be true for agile security and DevOps teams in 2017. Cloud and agile technologies are being adopted faster than ever, and the industry doesn’t have time to wait for information security to develop the needed skills. Therefore, DevOps teams will be on the hook for implementing actual security controls.
The successful security team will recognize this, and seek to provide tools that harmonize with this trend, instead of fighting it. In so doing, these teams will maintain high degrees of visibility and create leverage for their already-stressed resources.
With new threats comes opportunity
Software professionals have said for over a decade that security should be built in, not bolted on. Here’s a prime opportunity to move towards that reality. How will your team or operations make it happen in 2017?
Image credit: Flickr