By Byron V. Acohido
DevOps has been around for a while now, accelerating the creation of leading edge business applications by blending the development side with the operations side.
It should come as no surprise that security is being formally added to DevOps, resulting in an emphasis on a process being referred to as SecOps or DevSecOps.
Related: How DevOps played into the Uber hack
It’s a logical transition. With DevOps, the two teams merged together to purse a common goal – to drive value for the organization. To do that, the teams are finding better ways to work together and break down barriers.
With the digital transformation really just beginning, in cloud computing and IoT, it makes sense to bring security into the DevOps conversation. The security team needs to be at the table, working alongside the developers and the operations teams, providing the risk management view for security.
Oil and water
I visited with Dan Cornell at Black Hat USA 2018. Cornell is the chief technology officer at the application security firm Denim Group. We discussed the general guidance Denim Group offers its clients and how its ThreadFix vulnerability management platform is helping organizations bridge the gap between DevOps – whose aim is to deliver innovative applications with great flexibility at high velocity – and the security side of the house.
Yes, it’s like blending oil and water. However, the full fruition of DevSecOps is something that is going to have to happen if digital transformation is to achieve its full potential. For a drill down on my discussion with Cornell, please listen to the accompanying podcast. Here are a few big takeaways:
DX driver
Organizations are driving innovation with custom applications and systems, with mobile apps and IoT and cloud computing – all of the things that make up digital transformation, or DX. It’s not only good for the organization, as Cornell points out, it also provides value to customers and stakeholders. But for all the upside, there is a downside to the digital transformation.
Cornell
“Applications now are more valuable than ever, but they also expose organizations to more risk than ever before,” Cornell says.
The problem is that, over time, organizations built huge portfolios of applications, all supporting different areas of the business or different products. Those apps have been there for decades, but security was different back then.
Organizations focused on the security of the couple of applications central to overall business operations and didn’t worry about the rest. You can’t do that anymore. The digital transformation has changed the way we use apps, and now every app is a potential security risk.
Roadmap needed
What’s more, due to a cybersecurity skills shortage, there at best is one security professional available to look over the shoulder of every group of 100 developers charging full steam ahead to maintain and improve existing apps as well as to develop and deliver new ones.
“Now organizations are realizing that they have a sprawling portfolio of applications and there aren’t enough security people to handle this,” explains Cornell.
Companies seeking to infuse a security component to their applications under development are having to look for outside help. When crafting an application security program, organizations first need to understand what they want out of that program, Cornell says.
There will be certain strategic aspects that include developing a road map of what they want to accomplish, how to incorporate threat modeling, how they are going to incorporate static, dynamic and penetration testing, and how they are going to do security evangelism to the developer.
“From a strategic standpoint, organizations need to make the determination of what parts of the application program they believe are core for internal folks to execute and where to carve out parts of the program to have someone else handle,” says Cornell.
Bridging the gap
That’s where Denim Group comes in. Denim Group was originally founded in 2001 doing custom software development and eventually expanded its offerings to focus on application security, helping organizations deal with the security impact of the software they were developing.
Denim Group’s ThreadFix platform is designed to help organizations manage the scale and complexity of their app program, while keeping security on a front burner. It identifies all of the teams responsible for different applications and helps organizations manage the variety of testing activities used to secure those applications – SAST, DAST, IAST, open source management, penetration testing, and so on”
The tests drive results while resolving security issues. Glaring vulnerabilities are addressed by the development team, thus bridging the gap between security and development.
It comes down to steadily improving communications between security, development and operations sides of the organizations. Silos simply no longer work.
“This is a challenging problem that CISOs face, dealing with the risk associated with these applications,” says Cornell. “We want to give them the flexibility so they can work within the constraints of the marketplace and give them every tool they need to be successful.”
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
Last Watchdog’s Sue Poremba contributed to this report
(Editor’s note: LW has supplied consulting services to Denim Group.)
