The Forrester Predictions 2020: DevOps report acknowledged that DevOps is continuing its trajectory of awareness and adoption. Forrester says firms are focusing on achieving product differentiation through the speed and quality promised by DevOps methods.
The speed and agility promised by DevOps is being called into question, however, with the rise in cyberattacks and the potential for vulnerabilities to creep in the DevOps process. This is even more so true in the open source community where the prevalence of large numbers of developers independently, perhaps even unsupervised, writing code for free (sort of) creates opportunities for vulnerabilities to remain undiscovered for long periods.
DevSecOps is meant to address this by incorporating security into the development process early on.
FutureCIO spoke to Pierluigi Cau, director of Solutions Engineering APAC at GitHub, for his take on the security as part of the development process.
What are some of the industry trends around security over the past months?
Pierluigi Cau: In recent years, DevOps has been an increasingly popular trend which has promoted a holistic approach to security. By highlighting everyone’s role in fixing and preventing system outages, this has also shifted the way in which developers engage with operational issues.
Rather than separating development and operations, DevOps posits that there is a joint responsibility for these functions between all parties that write, ship, and manage that code.
Specifically, within the security industry, this shift in mindset has also resulted into what is commonly called DevSecOps. Essentially, this is about making all parties involved in the application development lifecycle accountable for the security of the application, just as they are accountable for operations and supportability.
So what’s the difference between DevOps and DevSecOps? In the former, everyone becomes accountable for outages, even if they don’t manage the infrastructure. In the latter, everyone becomes accountable for vulnerabilities, even if they didn’t write the software. DevOps focuses on agility, efficiency, and reducing the time it takes to develop software.
DevSecOps prioritises secure development and speed from the very beginning by incorporating security into every phase of the development. It also makes finding and diagnosing vulnerabilities a shared responsibility.
Enterprises have traditionally relied on security researchers to uncover, report, and fix vulnerabilities in their code. But code security research is a specialist skill and the supply for researchers far outweighs the demand, so much so that security researchers are on average outnumbered 500:1 when compared to developers. Moreover, with the increase in the APAC cybersecurity talent workforce gap, surpassing the two million mark in 2019, it is clear that a change in the approach is needed.
Continuous security should run in parallel with continuous integration and continuous delivery; and security should be backed into every step of the development process.
Since this is a mindset shift, there’s no canonical list of practices. Rather the principal change is to apply security practices earlier in the development lifecycle.
To minimise the number of vulnerabilities in production code, security teams need to partner with developers in their preferred environment and leverage their existing workflows. Putting developers front and centre for application security is the most effective way to shift security left and succeed against the mounting technical debt that can overwhelm even the best teams.
What is the perception of open source security among businesses in SG/APAC? Is the myth that open source is less secure due to its collaborative and transparent nature true?
Pierluigi Cau: Modern software is built on open source. 99% of enterprise codebases contain open-source code according to Synopsys’ 2020 Open Source Security and Risk Analysis Report. But as the adoption of open source components increases, so will the security risks for both developers and security teams due to increased exposure.
On GitHub alone, over the past year, over 12.3 million security alerts were remediated by developers, maintainers, and security researchers across the community. Whitesource also predicts a 48% increase of reported open source vulnerabilities in 2019 compared to the previous year.
For organisations, the question is not about how much open source code is being used. It’s about what open source code you’re using, and how much. If organisations are not aware of what is in their software supply chain, an upstream vulnerability in any of their dependencies can affect their application, making them susceptible to potential compromise.
Relatively newer approaches to application security—including DevSecOps and shifting security left—have suggested significant improvements to both traditional and end-to-end security.
Are organisations and enterprises taking the right approach to address coding and open source security? How can and should SG/APAC companies tackle security together with their developers?
In the same way that open source teams collaborate on shared projects, the only way to combat technical debt with today’s increasing code volume and velocity is to solve security issues, together.
It is estimated that 85% of vulnerabilities in open source are disclosed with a patch already available. But being proactive and successful at addressing software supply chain threats goes beyond patching.
Following DevSecOps means organisations need to approach security as an ongoing part of software development, staying up to date with what dependencies are being used, being aware of vulnerabilities in those dependencies, patching them—then getting back to work. For developers, that means having a few capabilities:
- Know what’s in your environment. This requires discovering your dependencies including transitive dependencies and understanding the risks of those dependencies, such as vulnerabilities and licensing restrictions.
- Manage your dependencies. Determine the level of impact when a new security vulnerability is discovered, followed with the required update to obtain the latest functionality and security patches. Keep a hold on your dependencies by reviewing changes that introduce new dependencies and conduct regular pruning to remove unnecessary dependencies.
- Monitor your supply chain. Audit the controls in place to manage your dependencies, and eventually, move from audit to enforcement to prevent drift in your supply chain.
To effectively drive down the number of vulnerabilities in production code, security teams need to partner with developers in their preferred environment and leverage their existing workflows. Putting developers front and centre for application security is the most effective way to shift security left and succeed against the mounting technical debt that can overwhelm even the best teams.
Community-powered security can help security experts share lessons learned and provide better ways to solve today’s application security issues. Developer-focused and community-centric security also makes it possible to find and fix issues earlier, while improving collaboration within organisations and the greater open source community.
Unless security issues can be identified and fixed by developers early in the development lifecycle, technical debt will continue to be a challenge for any software ecosystem. Like many other challenges, application security problems are the easiest and most cost-effective to solve at the source.