Have We Hit the DevSecOps Tipping Point?
Integrating Security into the Software Development Life Cycle in today's technology focused organizations
A number of high-profile attacks and a growing threat of nation state actors is driving increased demand for improved security programs within Software Engineering organizations. Larger organizations are moving to improve security processes, however small and mid-sized organizations are mostly left wondering how to get started. Prevention is better than cure; A consistent software architecture which takes account of security practices can significantly avoid malicious attacks and reduce data breaches.
In this article, we will identify a number of the challenges faced by all organizations and some specific challenges faced by small and mid-sized businesses, followed by ideas about how to get started and initial areas of focus. Organizations like ISG (Intent Solutions Group) have recognized an increased number of requests for support with DevSecOps (Development Security Operations), which embeds security into the early stages of design and development processes.
Security Challenges and Impacts
Unfortunately for the software industry, there are a vast number of growing examples where even the largest software organizations have paid for careless mistakes seemingly due to a lack of focus on security. In July of 2020, a 17-year-old hacked Twitter, a $1.4 billion a year organization, from the convenience of his bedroom. Another would be a logic flaw in the code of Zoom's virtual meeting platform allowed hackers "Zoom Bombers" to control a San Antonio Texas school board's conference meeting. To their credit, Zoom has been responsive in fixing such logic and privacy issues but it has not come without unwanted negative publicity. When organizations review their protocols; security has become more prominent, leading to an increasing demand for more secure Software Applications and data protection.
For many organizations, it is the cost of a breach that is the most concerning, even if/when the breach doesn't result in negative publicity. According to the US Bank's full-scope analysis on customers' risks in 2017, 82% of all businesses failed because they were unable to maintain sufficient cash flow. A recent IBM/Ponemon Institute study calculated the cost of a data breach at $242 per stolen record, and more than $8 million for an average breach in the US. As IBM states further in its analysis, organizations can multiply their customer base by $200 - $250 and determine their liability, without consideration into further potential legal action which can run into the millions or hundreds of millions.
Barriers to adoption of a Secure Software Development Lifecycle
Why aren't more organizations focused on AppSec( Application Security) and DevSecOps, or moving to a Secure Software Development Lifecycle (SSDLC)? Here are some observations from our work in the field:
Puppet’s 2019 State of DevOps outlines this “Adopting DevOps practices opens the door to integrating security into the entire software delivery lifecycle — in fact, we’d argue security integration should be a natural part of any DevOps effort. But many companies are getting stuck in the middle stages of DevOps evolution, making it difficult to begin security integration”. According to Gartner's Market Guide for Zero Trust Network Access, "fewer (security) alerts does not equate with being more secure; rather it might mean you are more blinded by the lack of visibility. Lack of visibility does not equate to a lack of security vulnerabilities". In other words, it is crucial to acknowledge the hidden security signals and ensure the surveillance throughout software development phases.
Ideas for adoption of a Secure Software Development Lifecycle and DevSecOps
What can an organization do to start working towards a more secure application platform? Below are some items that aren't necessarily technically complicated but may be complicated politically:
ISG takes action with support for DevSecOps and Secure Application Development Lifecycle
Intent Solutions Group (ISG), a global software engineering and R&D firm located in Boston, recognizes the dangers of lack of preparation and has been focusing on shifting security into the development process with their clients.
CEO Robert Rae says, “The Software industry is learning how to seamlessly integrate security processes and technologies into the software development process (DevSecOps, Shift-Left Security, AppsSec, 2SDLC (software development life cycle), etc). Thinking about security at the end of the software development cycle was just not working. The required mindset change seems to be the biggest hurdle. Security specialists have to not only be involved but be committed to the same deliverable as agile teams. Engineers need to learn how to include Security Specialists into the development process. Cloud platform providers like AWS are making the necessary security technologies available at a cost that is affordable for all organizations, so the cost hurdle has largely been eliminated."
Intent Solutions Group has successfully integrated Application Security into services for their clients. As this article has shown DevSecOps emphasizes cross-functional collaboration among development, security and operation teams, as well as technology integration to resolve vulnerabilities in all stages of the secure software development life cycle. The framework is proven to reduce the risk of detriments from cyber attacks and data breaches and maintain organizational continuity. These points were briefly touched on in ISG's previous Article "Guided by Candlelight" which also gave readers proactive and measurable steps to help combat the onslaught of threats bombarding today's technology organizations.
As Robert Rae discusses the services offered by Intent Solutions Group including Design, Development, QA, and Managed Services, ISG analyzes the product's fundamental structure and utilizes the customized methodologies. As a result, the initiative helps to reduce time wasted, improve sprint velocity, and address future costly incidents while ensuring to build the right product and software.
With the examples provided within this article we believe the topic of Application Security has hit a tipping point and Software Executives are quickly understanding that they must improve AppSec now. Larger Software Engineering Organizations have the ability to build these capabilities in-house, however small and mid-sized Software Engineering Organizations will look to partners like Intent Solutions Group.