The perfect blend of development, security, and operations (DevSecOps) can elude many organizations and hamper the digital transformation efforts, even if they think they are on the right path. Sorting out stumbling blocks in DevSecOps and dealing with outright failures in the process took center stage in two keynotes at last week’s ONUG Fall 2022 conference in New York City.
James Wickett, co-chair for DevSecOps at ONUG Fall 2022, focused on warnings organizations should pay attention while Vandana Verma Sehgal, chair of the board of directors with OWASP, examined failures and ways organizations can respond. The event, hosted by ONUG (the Open Networking User Group), brought out the enterprise cloud community to tackle issues.
Wickett gave a keynote on “DevSecOps Warning Signs and What to Do About Them” and dove into breakdowns within enterprises. He is also founder and CEO of DryRun Security.
“Why is DevSecOps not working in many organizations?” Wickett asked. He said in some cases, security might not be included in digital transformation, possibly as a byproduct of moving fast. Security professionals might also see themselves as different from others in the organization, Wickett said, and adopt rather Draconian perspectives. “Many security teams work with the world view where their goal is to inhibit change as much as possible.”
Such sentiment can go too far obviously, Wickett said, especially if security puts guardrails around the wrong things and hobbles productivity in the process. “That is a place you don’t want to be inside of an organization,” he said.
The notion of pitting security versus IT and the business can just be counterproductive, Wickett said. “That is a false sense of transformation.”
The premise of DevSecOps, he said, is to take DevOps practices and principles and build security into the cycle, not that security is swooping in to fix DevOps. Wickett suggested developers find ways to give telemetry back for application security, as well as conduct some self-testing. Operations should also add security and telemetry to the observability stack, he said.
When Failure Comes Calling
Even with warning signs in mind, organizations may find their DevSecOps strategy doing more harm than good. Sehgal’s keynote on “Failures in DevOps and DevSecOps Pipelines” confronted what organizations need to do if DevSecOps stall. OWASP is the Open Web Application Security Project, a nonprofit that works to improve the security of software.
Sehgal spoke about vulnerabilities faced in the industry and possible ways to fix them in an open-source world. “Organizations of all types, be it small, medium, enterprise, or any organizations, are using open source to a greater extent,” she said. “Especially if I talk about unicorns, they’re majorly using open source.”
These days developers only write about 10% to 20% of code, she said, turning largely to open-source resources for the bulk of it. This creates dependencies on such third parties and platforms. This trend brings with it a measure of responsibility, she said, for organizations to secure their systems, especially with such open-source reliance. “We can’t blame open source,” Sehgal said. “We can’t blame Apache. Every company is trying to secure themselves.”
Those security efforts rely heavily on organizations knowing what they are working with in terms of software, data, and platforms, she said. Vandana said a lack of knowledge and observability raises questions about the defense of libraries and source codes.
Still there can be issues such as the Log4j remote code vulnerability and breaches regardless of efforts made to secure systems, Sehgal said, increasing the necessity to redouble security. “Application security is becoming more and more important because we are seeing more and more issues.”
The rise of more cloud-native organizations has brought the complication of networks and applications being cojoined, she said. Having one foot in open-source and the other in the cloud-native environment means security is mutually important, she said.
In the open-source world, attackers try a multitude of tactics, including attempting to prey upon individuals who type fast and make mistakes that can be exploited. There are also supply chain attacks, such as the one involving SolarWinds, which can cascade across vast numbers of companies. For instance, if packaged software is compromised and malware added, users of the product can become vulnerable, Sehgal said. There could also be an update that secretly adds a cryptominer to code, which is shipped to everyone, who would end up running the cryptominer.
Stepping up security awareness and response can help. Fixing application bugs can take months if not years to address if they go unnoticed by organizations, she said, which can leave organizations vulnerable to attackers. “It’s not just what we write,” Sehgal said. “It’s about open-source libraries; it’s about containers; it’s about infrastructure as code.”
Human awareness can only go so far though, especially in the cloud environment, leading to some automated assistance where feasible. “Cloud misconfiguration is one big challenge, which is with everyone,” she said. Sehgal also believes having a “security champion” within an organization can also improve the situation. “It can be anyone,” she said. “People say developers are the only ones who can be a security champion, but no. “It can be an executive. It could be a CISO, could be a CIO, could be a CTO.” Other possibilities include a project manager or architect of software. “That person needs to know what’s happening,” Sehgal said.