As IT professionals adapt to remote and hybrid work models, roles are being redefined to broaden and diversify expertise and skill sets. One particular focus area that continues to evolve is the nature of security practices across IT roles and landscapes.
As DevOps practices continue to permeate industries and IT organizations, security tactics and measures are at the forefront of digital transformation journeys. DevSecOps practices must inherently address remote and hybrid work environments, which adds yet another layer of complexity to the equation.
To better understand how remote work has affected DevSecOps practices, I asked several speakers scheduled for the DevOps Institute's upcoming SKILup Day for their insights. Here's what they had to say.
1. Acceleration of digital transformation initiatives
DevSecOps, an augmentation of DevOps to allow for security practices to be well integrated into DevOps practices, has spiked as remote work has forced many organizations to accelerate digital transformation initiatives. To address the demands of those accelerated initiatives, the centralized security team must adopt a federated model to allow each software delivery team to factor the proper security controls into its DevOps practices.
Dheeraj Nayal, global community ambassador and region head for Asia Pacific, Middle East, and Africa at the DevOps Institute, said that organizations need to communicate the importance of security and implement security models "deep into the foundation of the delivery lifecycle" to generate market advantages, strengthen brand reputation, and enhance customer value.
"The traditional gatekeeper role that security teams have long been playing is no longer relevant for distributed teams."
—Dheeraj Nayal
Despite all the tools related to communication, collaboration, and productivity, Nayal said, effectively running and managing a distributed workforce doesn't come easy. Yet, given the fact that distributed teams have now become the norm, "looking at security as an obstacle to quick application development is too risky."
2. Security is shifting to developer-first
Since the past year and a half has accelerated digital transformation for countless companies, teams are evaluating a shift to the cloud and adoption of DevOps practices. This puts more pressure on software development teams as the focus on security is shifting to earlier in the software delivery lifecycle.
And, in turn, this has led to an increase in developer-first security practices and tools within the enterprise, said Joni Klippert, co-founder and CEO of StackHawk, which provides tools to help developers find and fix security bugs.
"Security teams know that the only way to keep up with the pace and scale of DevOps is to introduce automated, developer-centric security tooling. Ultimately, this shift will result in the enterprise delivering features faster and more securely."
—Joni Klippert
Kendall Miller, president of Kubernetes security firm Fairwinds, said, "The most obvious change is that developers could no longer push code from a tightly controlled internal network in an office setting." This may seem minor, but it required a shift in IT practices to allow secure development from remote locations, he said.
As a result, this caused organizations to rethink security from the ground up, in some cases triggering an audit that would have never otherwise happened, Miller added.
"It is almost certain that a lack of good security practices enabling remote work has had a significant impact on the wave of recent ransomware attacks.”
—Kendall Miller
3. The need to address security vulnerabilities at remote offices has increased
Distributed teams have a greater propensity for exposing organizations to the possibilities of network, software, and other threats and vulnerabilities. While it is critical to provide teams with tooling that easily integrates with the tech stack and infrastructure without being disruptive or imposing drastic learning curves, remote workers need to be able to be productive from day one.
Rob Cuddy, global application security evangelist at DevOps provider HCL Software, said that being able to quickly identify issues in context while coding helps to minimize new vulnerabilities from being introduced.
"For development teams, where security is concerned, the ability to do a sanity check on code before committing it to an integration area is important."
—Rob Cuddy
This is also where Software Composition Analysis (SCA) has really shown up, he said. It may be a lot easier for a remote worker to introduce malware or other problems into their environment through a home Wi-Fi network, forgetting to use a VPN, or just not having access to known repositories that would be available in a secured office location. "Being able to have confidence about what is being consumed and delivered is important," he said.
4. There's now a greater emphasis on relationships and communication
Mark Peters, technical lead at DevSecOps provider Novetta, said challenges existed but the need for collaboration still exists.
"Remote work does not change the need to interact with people, only the means by which we do so. But teams have to work harder to ensure collaboration. It is different when the security expert sits in the daily Scrum as opposed to merely dialing in and being another face in the crowd."
—Mark Peters
In many ways, security is about building trust and relationships, said Neelan Choksi, president and COO of Tasktop, which provides app dev tools.
"With the remote work situation, unless constant communication is already in a company's DNA, we've lost many of the ad hoc opportunities to connect, build relationships, and have an informal awareness of priorities and issues of our software delivery teams."
—Neelan Choksi
Remote work makes it even more important that DevSecOps be embedded into the fabric of a software development and delivery organization, he said. This includes the need for automated security testing, shifting security and testing left into the development process, training developers on how to code with agile security practices, and doing continuous monitoring.
We've reached a tipping point
Remote work and the new forms of online collaboration have rapidly increased people’s reliance on technology systems for the transfer and storage of data. More than ever, security needs to be a fundamental and inclusive part of an enterprise's IT strategy—today, and not tomorrow.
A recent example was making the mistake of posting source code snippets online for review, which is how hackers were able to break into EA Games’ Frostbite engine to obtain sensitive information and breach the game publishing giant.
Information is now the greatest and most highly valued resource on this planet. Organizations that used to be able to mostly keep it within four walls now have people rapidly transmitting it over the airwaves and storing it in locations far from home.
Stephen Walters, sales engineer at DevOps provider Everbridge, said the risk was higher than ever.
"At a time when the value of data is at its highest, never has it been more vulnerable or exposed to those who would take it from us to use in ways not anticipated. This has driven the need for security more than ever and promoted the need for DevSecOps solutions."
—Stephen Walters
Cyber resilience hinges on the human factor
Perhaps the biggest challenge to enabling hardened security practices today is people. Humans are human; we all make mistakes. But it is how we learn to make ourselves more resilient to change and emerging threats that matters now more than ever. We talk all the time about baking security practices, processes, and tooling into our ways of working. But we must first invest in what matters most: the human elements of DevSecOps.
If you'd like to learn more from these experts about the challenges and solutions for DevSecOps, register for DevOps Institute's upcoming DevSecOps SKILup Day.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
