DevSecOps is a term that means different things to different people. I see it as primarily as an umbrella term for “continuous security” or security that is built into the process of building, shipping, and running business logic. The pandemic-induced fast-paced cloud migration that we are witnessing makes improvement and adoption of DevSecOps practices even more critical.
Supply Chain Security
There have been several supply chain attacks in recent memory and it is top of mind for CISOs, CIO, and SecOps teams. From the large-scale Solarwinds compromise to attacks from deploying third-party code like agents or appliances or even testing software inside an organization; supply chain is the new way to break in. There is significantly higher supply chain risk in the cloud due to the nature of agile software development and release processes. A few months ago, half of the Docker Hub images were found to have a critical vulnerability and thousands had implanted malicious code. Supply chain attacks allow the attacker to gain an initial foothold with privilege in an organization. Following this, attackers usually commence command and control followed by lateral movement and exfiltration. Jeff Williams talks about this supply chain risk as well from an AppSec perspective. I have previously advocated an agent-less approach from a runtime security perspective to minimize supply chain risk.
Injecting the business user needs and breaking down silos for improving user experience. Gregg Ostrowski talks about how optimizing the user experience for an organization’s digital services is key to customer satisfaction. Ajay Gandhi talks about Dev, Ops, and Security coordinating with business owners directly so “everyone draws from a single source of truth”.
AI and Automation
Cloud scale DevSecOps needs automation to keep up with the rapid changes introduced by developers. Developers and ops teams usually dwarf the security teams by an order of magnitude. The key to maintaining visibility and security with DevSecOps is automation. Using cloud-native automation to drive DevSecOps processes to keep up with rapid infrastructure and workload changes is a key enabler that needs to be leveraged. As an example, changes in infrastructure or a bringup of a new instance of the container should trigger a series of checks automatically. AI is a key ingredient in getting the signal from the noise. Even if security teams have no “darkspace” in their cloud the next issue is how to actually have detection of issues. Not just static detection, but detection prioritized by risk to the organization. Not just static detection, but detection on issues that only manifest at runtime. AI can uncover hidden malicious code and unusual patterns of command and control for supply chain infections in the cloud. I argue that just checking for CVEs statically is necessary but nowhere near sufficient. As Seth Vargo describes in a recent episode of the Google Cloud Security Podcast, “one cannot simply check for problems and then put something into production and go away”. New CVEs keep coming up and many attacks go after yet unknown CVEs. AI-based detection infused into the DevSecOps processes allows for defense against malicious code implants and the attacker or human-introduced misconfigurations.
Questions? How to Contact Blue Hexagon Security Experts
I hope you found this article informative. If you need assistance or have any questions on how to replace your security agents or how to bolster your security stack in the cloud, please contact Blue Hexagon Security Experts by email at firstname.lastname@example.org or online at https://bluehexagon.ai/contact/ and let us know how we can help.
For more detailed information, read the full article by Tom Smith here https://www.insightsfromanalytics.com/post/opportunities-for-devsecops-in-2021
Comments are closed.