Have We Hit the DevSecOps Tipping Point?
Integrating Security into the Software Development Life Cycle in today's technology focused organizations
A number of high-profile attacks and a growing threat of nation state actors is driving increased demand for improved security programs within Software Engineering organizations. Larger organizations are moving to improve security processes, however small and mid-sized organizations are mostly left wondering how to get started. Prevention is better than cure; A consistent software architecture which takes account of security practices can significantly avoid malicious attacks and reduce data breaches.
In this article, we will identify a number of the challenges faced by all organizations and some specific challenges faced by small and mid-sized businesses, followed by ideas about how to get started and initial areas of focus. Organizations like ISG (Intent Solutions Group) have recognized an increased number of requests for support with DevSecOps (Development Security Operations), which embeds security into the early stages of design and development processes.
Security Challenges and Impacts
Unfortunately for the software industry, there are a vast number of growing examples where even the largest software organizations have paid for careless mistakes seemingly due to a lack of focus on security. In July of 2020, a 17-year-old hacked Twitter, a $1.4 billion a year organization, from the convenience of his bedroom. Another would be a logic flaw in the code of Zoom's virtual meeting platform allowed hackers "Zoom Bombers" to control a San Antonio Texas school board's conference meeting. To their credit, Zoom has been responsive in fixing such logic and privacy issues but it has not come without unwanted negative publicity. When organizations review their protocols; security has become more prominent, leading to an increasing demand for more secure Software Applications and data protection.
For many organizations, it is the cost of a breach that is the most concerning, even if/when the breach doesn't result in negative publicity. According to the US Bank's full-scope analysis on customers' risks in 2017, 82% of all businesses failed because they were unable to maintain sufficient cash flow. A recent IBM/Ponemon Institute study calculated the cost of a data breach at $242 per stolen record, and more than $8 million for an average breach in the US. As IBM states further in its analysis, organizations can multiply their customer base by $200 - $250 and determine their liability, without consideration into further potential legal action which can run into the millions or hundreds of millions.
Barriers to adoption of a Secure Software Development Lifecycle
Why aren't more organizations focused on AppSec( Application Security) and DevSecOps, or moving to a Secure Software Development Lifecycle (SSDLC)? Here are some observations from our work in the field:
- Development teams are typically at 110% capacity and are not able to take on extra responsibilities for security. Within Software Development teams, security is yet another set of tasks, which have deadlines along with 8-12 other high priority items.
- Security reviewers aren't committed to the same or any deadline. Engineering teams focus on delivering successful sprints and Product Managers aim at the next game-changing end-user functionality. In most cases Security Experts are not gaining an understanding of the software development lifecycle and are not embedding themselves within the development teams, taking tasks through to completion, and agreeing to the same deadlines as the rest of Engineering.
- Security is one of those areas like insurance where people see the value but tend to push off investing until it is too late. Many Organizations continually de-prioritize security related efforts.
- Many Software Engineers have not had the proper training and are not provided with the proper tools to help ensure good Application Security. DevOps resources who are largely focused on migrations to microservice architectures also need training on a new set of technologies that get integrated into the DevOps processes.
- Security isn’t typically a high priority when it comes to product releases. Often there is pressure to deploy a feature or an upgrade, which leads to potential compromises that possibly create risk(s) for the business. People concerned about deadlines or hot competition may decide to release a product with the security issue unresolved, intending to fix the issue in a subsequent release.
- In many cases, security defects are not treated with the same priority as other software defects. It is not unusual for security issues to slip off the radar entirely once the product is out the door.
Puppet’s 2019 State of DevOps outlines this “Adopting DevOps practices opens the door to integrating security into the entire software delivery lifecycle — in fact, we’d argue security integration should be a natural part of any DevOps effort. But many companies are getting stuck in the middle stages of DevOps evolution, making it difficult to begin security integration”. According to Gartner's Market Guide for Zero Trust Network Access, "fewer (security) alerts does not equate with being more secure; rather it might mean you are more blinded by the lack of visibility. Lack of visibility does not equate to a lack of security vulnerabilities". In other words, it is crucial to acknowledge the hidden security signals and ensure the surveillance throughout software development phases.
Ideas for adoption of a Secure Software Development Lifecycle and DevSecOps
What can an organization do to start working towards a more secure application platform? Below are some items that aren't necessarily technically complicated but may be complicated politically:
- Ensure that security experts are committed to software development timelines. The last thing your Software Engineering team needs is a reviewer who is only "involved" and not "committed". This means security tasks being committed within planning, completed within the iteration, and reviewed along with all other technical work.
- Security and development (DevSecOps) teams must collaborate on threat models early in the development cycle.
- Security tools must be integrated within the CI/CD pipeline in a non-intrusive way, thus software engineers can be confident that they’re not inadvertently introducing known security problems into their code-bases.
- Security requirements in terms of both functional and non-functional must be prioritized as part of the product development process within the product backlog and must not be de-prioritized.
- Security-related defects must be treated with the same priority as all other software defects.
- Infrastructure-related security policies are set early on in the development cycle vs. towards the end as the MVP is being deployed.
ISG takes action with support for DevSecOps and Secure Application Development Lifecycle
Intent Solutions Group (ISG), a global software engineering and R&D firm located in Boston, recognizes the dangers of lack of preparation and has been focusing on shifting security into the development process with their clients.
CEO Robert Rae says, “The Software industry is learning how to seamlessly integrate security processes and technologies into the software development process (DevSecOps, Shift-Left Security, AppsSec, 2SDLC (software development life cycle), etc). Thinking about security at the end of the software development cycle was just not working. The required mindset change seems to be the biggest hurdle. Security specialists have to not only be involved but be committed to the same deliverable as agile teams. Engineers need to learn how to include Security Specialists into the development process. Cloud platform providers like AWS are making the necessary security technologies available at a cost that is affordable for all organizations, so the cost hurdle has largely been eliminated."
Intent Solutions Group has successfully integrated Application Security into services for their clients. As this article has shown DevSecOps emphasizes cross-functional collaboration among development, security and operation teams, as well as technology integration to resolve vulnerabilities in all stages of the secure software development life cycle. The framework is proven to reduce the risk of detriments from cyber attacks and data breaches and maintain organizational continuity.
As Robert Rae discusses the services offered by Intent Solutions Group including Design, Development, QA, and Managed Services, ISG analyzes the product's fundamental structure and utilizes the customized methodologies. As a result, the initiative helps to reduce time wasted, improve sprint velocity, and address future costly incidents while ensuring to build the right product and software.
With the examples provided within this article we believe the topic of Application Security has hit a tipping point and Software Executives are quickly understanding that they must improve AppSec now. Larger Software Engineering Organizations have the ability to build these capabilities in-house, however small and mid-sized Software Engineering Organizations will look to partners like Intent Solutions Group.