Cloud outages and security breaches increase in complexity and frequency every day. Security as Code (SaC) can help mitigate cloud outages resulting from security vulnerabilities. Mignona Cote, Chief Security Officer, NetApp Inc, shares key points to know about SaC and its value in application development environments.Â
The DevOps application development method was borne out of a desire for faster application updates and quicker response to changing needs. – as well as increased security. In speedier application development, there was also a greater chance of errors and an increased risk of introducing security vulnerabilities into the application.
To address this, Security as Code (SaC), otherwise referred to as DevSecOps, was introduced as a means of automated and constant implementation of company-mandated security practices throughout the entire DevOps software development life cycle. All too often, the development and security teams work separately. This can result in siloed effort and increased vulnerability. Security as Code is all about breaking down the walls between the development and security teams, so everyone is security conscious from the beginning.
What Is Security as Code (SaC)?
Security as Code is an offshoot of Infrastructure as Code (IAC), which is the ability to define a virtualized infrastructure, such as the allocation of compute, storage, and network resources, using code instead of configuration management tools or scripting. IaC is particularly popular in DevOps environments because DevOps teams tend to work quickly and do not like the downtime of having to build their infrastructure. IaC gives them a fast and reusable provisioning methodology.
Gartner defines Opens a new window DevSecOps as integrated security testing into Agile IT and DevOps development “as seamlessly and as transparently as possible. Ideally, this is done without reducing the agility or speed of developers or requiring them to leave their development toolchain environment.â€
The move to the cloud has made many workloads decentralized. The era where all of your workloads ran in your data center is over. In the era of Kubernetes and microservices architectures, you have more workloads running than before, being developed by multiple teams, often in disparate physical locations, and both on-premises and in the cloud. And it’s not just the development teams that are decentralized but also the decision-makers.Â
Decentralization can mean different teams developing different standards and protocols, which means managers could quickly lose control of their infrastructure and their own established standards and protocols—especially those around security and compliance. So SaC is a method to apply security and compliance in a centralized, systemic, continual manner.Â
Benefits of SaC
There are three key benefits that organizations can unlock with security as code:
1) AÂ secure foundation: True security is more than just preventing attacks. It also covers errors and malfunctions, data breaches, performance issues, and more issues that wouldn’t involve an outside attacker. By establishing a security founding from the start of development, you will test your application to meet these standards from the beginning rather than at the end.
2) Risk reduction: The Internet is inherently unsafe, with bad players looking for vulnerable systems to penetrate. Cloud-based apps must be secured even more urgently than on-premises apps, and SaC makes you mindful of the security of your code from the start of the project.Â
3) Speed of development: As noted, DevOps projects tend to move rapidly. Developers don’t want to be slowed down by adding security measures or anything else. Once developed and debugged, SaC policies are easily added to applications under development without slowing down the process.
Security checks and tests are coded at vulnerable points throughout the process. When testing and security are made a part of the development lifecycle, developers can make fixes as errors occur, ensuring the development process is not stalled.Â
Automation of manual tasks is another key benefit of SaC. Public Key Infrastructure (PKI) and digital certificates are commonly used in DevOps workflows to secure code through its development lifecycle. However, traditional PKI is a manual process, anathema to the Agile methodology. SaC automates the process of authentication and verification of code.
See More: Why Mid-market Companies Need Cybersecurity Now More than Ever
The Pros and Cons of DevSecOps
While DevSecOps can solve many problems related to application development, don’t be lulled into the belief that your software development projects will be free from all possible bugs or attacks. Like every methodology, DevSecOps is an upside and downside. Here’s both:Â
The pros to unlock
1) Enhances collaboration and communication between teams: Rather than the development and security teams working separately, they work together to achieve a common goal. Team integration is one of the main objectives of DevSecOps.
2) Faster response to vulnerabilities throughout the development cycle: Agile development works by writing a small portion of the application, then testing it thoroughly before moving on to another portion. If you add security testing to the process, bugs and vulnerabilities are exposed early rather than at the end.
3) Promotes better quality control: Because testing for security issues is done from the beginning rather than at the end, you arrive at a completed project that is both functional and secure, rather than just functional.
4) Reduces the cost of vulnerabilities: If you do all of your security testing at the end of the application development lifecycle, you may spend a lot of time chasing bugs through a lot of code. On the other hand, if you do the testing throughout the development process, less tracing needs to be done because the application is smaller, and bugs are easier to locate. Therefore, finding vulnerabilities in the early stages of the development life cycle reduces dramatically the number of vulnerabilities that might be discovered at the end and the time spent tracing them through the code.
The potential cons
1) Requires teamwork: You need to get both teams on board and align with your vision for Security as Code to work. Development and security teams are often used to working separately from each other. They need to be on the same page and share the same vision and may not want to change how they do their job. That may mean retraining or changing the way things have been traditionally done.
2) Doesn’t fix everything: This is not so much a negative as a caveat. Don’t be lulled into thinking DevSecOps is a magic bullet to address every security issue. DevSecOps has its limits. For example, it can’t be used for detecting business logic errors, and those are much harder to find than an unsecured port or failure to comply with HIPAA regulations. Second, DevSecOps are entirely reliant on automation. That means manual penetration testing tools can’t be used in DevSecOps. So you still need to do manual penetration testing.
3) Undocumented apps are hard to secure: Throughout the development lifecycle, the application itself is documented; what a piece of code does, what functions and so on. In the early stages of an application, it’s probably not very well documented. That can make finding vulnerabilities even more difficult.Â
Success Integrated
Adopting DevSecOps can mean extensive changes in how organizations and staff go about their software development and deploy security and compliance operations. It requires an integrated team of developers and security experts working in tandem and new tools to provide the needed visibility and tracking of custom and open-source code.
The benefits are considerable: a reduction in security and compliance issues from the start and the ability to quickly respond to new business challenges or threats while protecting your enterprise and customers alike.
Have you experienced any of the benefits or challenges of SaC listed above? Tell us about it on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!