DevSecOps, Application security

Cloud security must belong to everyone in the development cycle

CISA Director Jen Easterly has directed federal agencies to patch Log4j in two weeks. Today’s columnist, Natalie Kriheli of Vulcan Cyber, says adopting a DevSecOps approach can help companies more effectively manage bugs like Log4j. (Photo by Kevin Dietsch/Getty Images)

As organizations face new threats almost every day, it’s crucial that security remains top-of-mind throughout the development process. 

Until about a decade ago, development, IT operations, and security operated as distinct, sequential stages of software production. At the conclusion of each phase, the work would get passed along to the next stage in the succession, until it stood on the brink of general release. Then it would cascade onto the final step, security, where the team would identify, manage and hopefully mitigate any vulnerabilities. But then, as cloud computing generated new efficiencies and possibilities for software, this waterfall model of development gave way to something more efficient.

The development and implementation stages were combined into a single phase in what became referred to as DevOps. Application development, operational agility, and software delivery all accelerated to take advantage of the capabilities enabled by the cloud. But it still left the security team’s work waiting until the end of the process, creating bottlenecks that forced an often-costly tradeoff between efficiency and security.

Meanwhile, threats grew more sophisticated. What had at one point been regarded as little more than a nuisance of spam email and inadvertent data leaks, was morphing into a frontal onslaught of attacks by well-organized criminal gangs. Bad actors automated their assaults seeking ransom money, credit card money, confidential information, and malicious mischief, leveraging many of the same technologies that had delivered efficiencies to legitimate businesses for their own illicit purposes. Security, as a result, has transformed from being almost an afterthought to becoming a central question of every modern software deployment. We see a steady cadence of the consequences of bad cyber hygiene – major breaches of sensitive data left exposed because of a critical vulnerability left unaddressed. How can companies secure complex cloud environments where vulnerabilities abound? 

DevSecOps can become the solution. Think of DevSecOps as a cybersecurity philosophy that confronts modern threat environment by introducing security throughout the development pipeline so that vulnerabilities are identified and addressed quickly, rather than leaving a tranche of problems for the security team to deal with at the end, creating an inevitable bottleneck. DevSecOps will inevitably help organizations balance cyber risk management and hygiene while enabling developers to achieve higher degrees of agility, consistency, and speed.

In the age of DevSecOps and CI/CD, it’s essential that developers themselves are engaged in these efforts as they design, build, and deploy applications. This can be as simple as using coding libraries that are secure, rather than those that come riddled with vulnerabilities, and ensuring that permissions and privileges are up-to-date and relevant, and, importantly: test early and fail fast. The earlier teams can catch problems, the smaller the chance they have of turning into a bigger problem down the line, after it’s embedded within the network.

Today, however, scanning applications and cloud deployments for vulnerabilities cannot keep up with the warp speed of modern business, which can pose a real problem and leave security holes unaddressed and software unpatched. Even as security has shifted left in the development cycle, still Automox reports that some 60% of data breaches stem from unpatched software and the amount of time it takes organizations to patch vulnerabilities takes too long, stretching from four weeks in 70% of instances to more than a year in the most dire circumstances.

In the case of cloud-based applications, it means that containers, their access permissions, and the infrastructure’s code all must gets scanned for vulnerabilities, and security teams must prioritize and remediate these vulnerabilities quickly. While all the major cloud providers know how to protect themselves and offer security guidance to their customers, unless their guidelines are observed, it's likely that organizations are still vulnerable to attacks. Security teams must addressing cyber risk at cloud scale can only do this with the support of all IT teams and the assistance of automation. 

The impact and severity of the recent Log4j vulnerability could have been reduced if more application security organizations had a better way to identify and track vulnerable code used in production systems. Too many organizations today are asking the questions: “Are we running Log4j?” and “Is Log4j used in a business critical application or system?”

But now, many IT security teams are scrambling to retroactively find and mitigate Log4shell and they find themselves stuck between a rock and a hard place. Risk exploit of the vulnerability, or take down business-critical, production code and the applications and systems that run on it.

The power and efficiency of a well-run DevSecOps model could have minimized the Log4j vulnerability impact on application and IT security teams by orders of magnitude. A DevSecOps model helps to make everyone in the process, regardless of the project’s development stage, mindful of security – even those who formerly believed that their job was limited to writing code. With DevSecOps, we aim to have everyone’s help in revealing security issues early in the process instead of waiting until the end and then having to rework everything.

However, DevSecOps doesn’t mean the end of security teams. Rather, it means security teams are no longer at the end of the line. Instead, the security team’s focus shifts to dealing with the inevitable phishing attacks, denial of service efforts, and other malicious behaviors that have become a hallmark of modern business. In addition to implementing specific rules, like not allowing the opening of Port 80 under most circumstances, or not creating unencrypted buckets of data, their essential role involves building processes and implementing tools that enable everyone in the development pipeline to be actively mindful about security.

Cloud security has become a profound challenge today as more sensitive information – personal, financial, medical, and otherwise – moves to the cloud. Modern threats require not just modern technology to confront, but modern methodologies and processes. It’s with this in mind that organizations must implement DevSecOps practices to start combatting the vulnerabilities and subsequent breaches that cause so much harm, and yet occur with a frequency that only increases. It’s the responsibility of everyone throughout the development lifecycle – even for those who think they only should be writing code.

Natalie Kriheli, team lead, DevOps, Vulcan Cyber

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.