DevOps In Need Of A ‘Security Champion’?
Why The Dev-Sec Relationship Is Steadily Improving
For many, especially in dealing with – and working out kinks in – legacy systems, cyber security was viewed as a barrier to entry, a speedbump, for the development team.
Over time, next-gen technologies emerged, more security alerts flagged Chief Information Security Officers (CISOs) and automation ushered in a new era of defense capabilities. That “barrier” viewpoint was only magnified.
Meanwhile, today, developers work against the clock to produce software and quality code, to keep pace with a firmly digitalized and competitive marketplace.
It is here, in that gray area between expedited workflows and careful brake-pumping from security, where the cyber and DevOps relationship lies: Where one excels, the other acts as a check on its power.
While on its face, this balance of power (to borrow a political term), is relatively beneficial, it’s security that has long had to earn its keep to get a seat at the table. In recent years, security teams have vied for that place, and advocated embedded security in all policies and processes.
Today, cyber security is unavoidable. There is no escaping the wrath of a deep-seated cyber-attack, or bad press around poor data management.
So, cyber security is increasing its bandwidth, branching off into numerous facets of the business. It is also becoming a prime conversation among the C-suite and even the board.
But in terms of DevOps specifically, we’ve witnessed the birth of “DevSecOps,” or integrated security from the outset. While mature organizations may be able to readily implement security controls, others are left prioritizing, coping with a lack of resources or, perhaps, picking one practice over the other.
That certainly establishes context around the security “embed” – or lack thereof. But today, numerous cyber experts are touting the DevSecOps approach, and more specifically, reciprocal collaboration between the two. That could mean strategic communication between the DevOps team and the security team prior to project rollout; conversely, it could involve a security-trained professional taking his or her skillset to the DevOps pipeline.
Wanted: Security 'Champs'
In a recent column for Threat Post, Chris Eng, Vice President of Research at CA Veracode, called this person a “Security Champion.”
Eng wrote that this individual “understands application security best practices and helps advise their colleagues. They are trained by the security team to help developers find and fix vulnerabilities as early as possible in the development process, ultimately reducing the burden on the security team.”
The contributor said the inclusion of a comparable individual will inspire secure code and lessen unplanned work caused by vulnerabilities – essentially a restart in a time-sensitive race. Outside of the obvious benefits, Eng also said the position builds trust and promotes goodwill.
Advocacy for this individual certainly depends upon numerous variables – security posture, enterprise size, its team dynamic, etc. – but it can go a long way when this representative pinpoints a questionable tactic early on, preventing scores of remedial work down the line.
We spoke with Dennis Leber, CISO, Cabinet for Health and Family Services (CHFS), Commonwealth of Kentucky, on this “Security Champion” as well as the trend toward DevSecOps as a whole. Here’s what he had to say:
“Every developer should be a security champion. Our teams adopt this practice by training developers, identifying those with strong security interests and knowledge to mentor others and assigning Security Architects to each project to assist with design, testing, development and discussions.”
He continued: “I see the shift (to this dynamic, and security presence in dev) here and now. There are always companies on the cutting edge, and those far behind. DevSecOps is discussed more and more online, in conferences and on teams that are ‘security-aware.’”
It’s clear that as security principles spread rapidly within the enterprise, the DevOps team will be keen to hear them out. Without due diligence on the security front, a product – built hastily and under tight deadlines – may in fact be riddled with vulnerabilities. These vulnerabilities could then turn and cost the enterprise millions of dollars or a significant pinch on the bottom-line. Bad press alone has the power to impale today’s businesses, too, and that’s just the behavior we’ve witnessed in the news in recent years.
It is just a matter of time before an even more seamless relationship exists between security and DevOps. However, maturity hinges upon the ease, or friction, involved in that embrace.
Be Sure To Check Out: Here's Why The Board Must Be Present In Cyber Strategy