It seems like there's a new major security breach every couple of weeks. While consumers have been desensitized, businesses that experience data breaches can incur millions of dollars in costs. In addition, some breaches impact downstream customers in significant ways that can have substantial global repercussions, such as the infamous SolarWinds hack.
Let's look at the importance of security at the application level and how DevSecOps can mitigate these risks.
Why Security Matters
Security is a growing concern for every business. Every year, the number of data breaches grows by 30%, while the number of compromised records soars by an average of 224%. Over the past year, nearly half of data breaches originated at the web application layer, using SQL injection, remote code execution, and other vulnerabilities.
The evolution of application development and IT infrastructure is driving these changes. Monolithic applications have been replaced by APIs, microservices, and serverless functions delivered in real-time through modern DevOps workflows. Meanwhile, the volume of first and third-party APIs with access to organizational data further enhances the threat.
Modern application development and infrastructure yield better user experiences, but they also expand the surface area for new, more complex threats. As a result, security teams need real-time visibility into these moving parts while moving quickly enough to keep up with modern DevOps workflows that involve continuous deployment.
What is DevSecOps?
DevSecOps stands for development, security, and operations. It's a natural evolution of DevOps that integrates security as a shared responsibility throughout the IT life cycle. The core idea is to build security into application development and infrastructure rather than relegating it to the perimeter around applications and data.
In essence, DevSecOps does to security what DevOps did to tests. Before DevOps, testing was a manual process that happened at the end of the development cycle when it was too late to make changes. Now, continuous integration (CI) processes automatically execute tests to ensure quality throughout the development cycle.
Similarly, before DevSecOps, security was the responsibility of a specific team at the end of the development cycle. DevSecOps involves thinking about application and infrastructure security throughout the development cycle while leveraging automated code analysis and infrastructure monitoring to keep the DevOps workflow from slowing down.
DevSecOps in Practice
DevSecOps is still a relatively new field that's constantly evolving, meaning that best practices are still emerging. That said, there are some common strategies that development teams use to think about and improve upon security throughout the development cycle. These strategies are a great start to an effective DevSecOps workflow.
1. Control Access to Sensitive Information
Sensitive information should never appear in source control or public databases. During development, engineers should use local environmental variables rather than checking production API keys or other sensitive data into source control. In production, sensitive information should be encrypted in databases to mitigate risk.
2. Automate Security Checks
Static code analysis tools can automate security checks as part of a CI/CD process. For example, Veracode can identify OS command injections, SQL injections, hardcoded passwords, or other vulnerabilities and flag them to prevent the deployment of insecure code. Some tools even integrate into developer IDEs to proactively prevent these issues.
3. Monitor Infrastructure in Real-time
Many application performance management (APM) tools can catch exploits as they happen rather than relying on analyzing logs after the fact. For instance, AppDynamics monitors code dependency and configuration-level security vulnerabilities in production to ensure that code remains secure after it's shipped to customers.
4. Regularly Scan & Update Dependencies
Dependencies are a frequent source of security vulnerabilities, particularly as the number of application dependencies rises. Fortunately, GitHub's Dependabot and similar tools can automatically monitor dependencies and create pull requests when updates are needed to mitigate security vulnerabilities.
Depandabot makes pull requests to keep dependencies up to date. Source: GitHub
5. Create an Incident Response Plan
The best security measures in the world aren't a guarantee against a data breach. Zero-day exploits, dependency vulnerabilities, and other events can create unpredictable security risks. As a result, every business should have an incident response plan to mitigate the damage from a security incident and immediately close the vulnerability.
Common Pitfalls to Avoid
DevSecOps best practices can dramatically reduce security risks, but there are several common pitfalls to keep in mind:
1. Don't Use Tools Without a Plan
APM, SCA, and other security automation tools are essential to the DevSecOps process, but they're useless without a follow-up plan. If these tools detect vulnerabilities, development teams must assign the resources to address the vulnerability and fix the problem. Otherwise, the security risks will only continue to compound.
2. Understand How to Use the Tools
DevOps teams must take the time to understand how to use the security features of APM tools to wield them effectively. At the same time, IDE security alerts aren't beneficial if developers don't know how to fix them. DevSecOps requires understanding underlying security principles and the tools used to identify vulnerabilities.
3. Don't Assume Your Code is Secure
DevSecOps best practices aren't a license to ignore security once code checks out. Similarly, businesses should never become complacent because they have DevSecOps in place. Effective security requires a proactive and vigilant mindset embedded at a cultural level rather than a tool level across an organization.
The Bottom Line
Security threats continue to multiply and most attacks happen at the application layer. As a result, DevSecOps is quickly becoming the status quo for application development and IT infrastructure processes. By keeping the best practices that we've discussed in mind, businesses can mitigate security risks without slowing down their DevOps workflows.
Intent integrates DevSecOps into all of our processes to ensure that the code that we produce is secure and performant. If you need help integrating DevSecOps into your organization, contact us to schedule a free consultation and learn how we can help you improve security.