Deconstructing DevSecOps: Why A DevOps-Centric Approach To Security Is Needed In 2023

0

Definitions are important, and from day one DevSecOps has never been strongly defined: there is no universal acceptance, and so no deep understanding, of what it actually means.

Is it terminology related to how an organisation approaches a product, or the organisational framework, or maybe a cultural and technical shift left within the integrated development environment? Or all of these things?

Is it time that we deconstructed DevSecOps and look for something better in 2023

Accelerating change to escape the silo

Let’s start at the beginning; that time before DevSecOps was a buzzword when developers didn’t look further than building the application. Security, be that in terms of vulnerabilities or misconfiguration, was not their concern, not their job. That would be down to the security people, assuming there were any. And, even if there were, we all know how well that went when security was considered an add-on rather than integral to the project.

Something had to change, and what changed was everything.

And nothing.

Agile management required quicker, continuous product development as organisations necessarily transformed into digital entities. Mistakes were made, vulnerabilities exploited, and now they impacted the entire business rather than being just another ‘software bug.’ Gradually, but inevitably, cybersecurity became a business issue. Security shifted left into the development process so as to be identified and redressed without causing later delays.

Is DevSecOps just an aspiration then?

That’s the ‘everything’ that changed. The nothing, for a great many organisations at least, is that DevSecOps remains nohing more than an aspiration, some may even say a fantasy. Those silos remain in practical terms, with DevOps teams and security teams both now trying to address and enforce security across all areas. In some ways, the shift left has happened: when a vulnerability is exploited in production, it’s the DevOps leaders who wield the power rather than the security team. Sure, security is involved, of course, but it remains the devs who are required to not only put things right but also find the vulnerability.

The DevOps-centric approach

DevSecOps, in reality, is actually more of a bridge building exercise: DevOps are asked to be that bridge to the security teams. Yet, simultaneously, DevOps are asked to enhance the technology used (for example, strong customer authentication, or SCA for short) often without the full input of security teams and so new potential for risk is introduced. These are DevOps security tasks, in effect, rather than DevSecOps. These need to be approached from the top down and bottom up: an organisational risk assessment to prioritise the software security tasks, and then a bottom-up modelling of how to incorporate something like SCA in our example. This is a DevOps-centric approach to security rather than the commonly accepted DevSecOps one.

The right tools for the job

Correct tooling is at the core of this DevOps-centric approach to security. DevOps itself is largely dependent on automation, and continuous, automated testing, in particular. Having the right tools and solutions to help discover and mitigate security issues should be a no-brainer.

Yet too many disparate tools, like cooks, will quickly enough spoil the seamless visibility broth. And here, we meet the key obstacles preventing organisations from realising a truly integrated, DevOps-centric approach to security.

These can best be summed up as being two extremes of the same problem: appropriate tooling. While DevOps is in the firing line when a security incident occurs, oftentimes, they won’t have the budget to purchase the tools required to best respond as those will be purchased by security teams.

Or, of course, they will have too many, resulting in an unruly tool landscape.

Joined-up thinking is not optional

The solution rests with joined-up thinking, where not only does DevOps have the right security tools but also a ‘single pane of glass’ solution to integrate the resulting findings with mapping of where in the organisation that software appears. And it’s not just DevOps that need this single pane viewpoint: security teams require such visibility of software vulnerabilities and remediation strategies as well. A DevOps-centric approach to security has to be all-embracing for it to be effective.

Maturity matters

Security risks cover the entire software lifecycle from the initial open source building blocks right through to deployed and in production. Understanding this level of maturity is essential to a DevOps-centric approach, with a shift right (to when code is operational) being equally important to the shift-left focus of old.

You can think of this as modernising DevSecOps, reducing alert ‘noise’ within developer range, and ensuring contextual threat levels are brought into focus. The Log4shell critical vulnerability in the Log4j logging tool that exploded into view just as 2021 was coming to an end is a great example to demonstrate the effectiveness of this. Organizations needed to know they could react not just quickly but immediately to such incidents. A map of all instances, so any that were at risk could be remediated, was essential. But understanding whether or not circumstances existed that could make it vulnerable, the contextual analysis, was equally as vital.

The painful truth about DevSecOps

It’s not so much that DevSecOps is dead, but maybe it never really existed at all. What most people mean when they talk of DevSecOps is a DevOps-centric approach to security.

Perhaps the time is right that we start talking about this broader, back-to-basics, integrated vision instead.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! Rapidtelecast.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
Leave a comment