Information security is an evolving discipline and one which needs to stay not just one step ahead of the bad guys, but also needs to take account of the way business and technology is changing. In business the name of the game is to be “agile” and to be able to adapt and disrupt both old and new industries.
In the technology world the firm growth of cloud computing and new ways of creating and deploying applications quickly means that security needs to keep up to be successful. The use of traditional frameworks such as waterfall development and ITIL has given way to new methods of working often labelled as “DevOps”. Formed from a combination of development and operations the principle of DevOps is to create code quickly, deploy it immediately and get feedback from users as you go along.
Terms such as CI/CD (Continuous Integration/Continuous Delivery) and its more extreme version Continuous Deployment are relatively recent additions to the software development vocabulary. These ideas mean that the delay between code being written and its deployment into the live environment can be almost non-existent.
The breakneck speed of this method obviously means that ensuring new apps are secure can be somewhat of a challenge. The information security industry has reacted to this need with the creation of its own new way of working usually called “DevSecOps”. This attempts to deliver the benefits of fast deployment whilst ensuring that basic information security precautions and controls are not bypassed or forgotten.
Delivering DevSecOps is recognised to be a difficult but necessary task which involves thinking security from the very beginning of a project and ensuring the people involved in it have the right level of awareness. Delegation of security responsibilities into the development teams is key and many organisations establish roles with names such as “Security Champion” and “Security Advocate” to try to achieve this.
Where the deployment of code is automated, it is important to ensure that the relevant security checks and testing are also automated so that they don’t delay the deployment and reduce the perceived agility of the development process itself. Just as agile developers create “use cases”, a corresponding set of “mis-use cases” also needs to be considered, along with input from frameworks, such as the OWASP Application Security Verification Standard.
But it’s not just software applications that move fast in today’s world. The area of infrastructure has also been affected where the ability to virtualize complete environments means that in many cases the infrastructure itself may be treated as code. In a situation where a server may be created in seconds it’s just as important as ever to ensure that the correct standards are established for security.
In the current Silicon Valley-inspired rush to “fail fast, fail often” it is vital that the security of the resulting systems is not compromised, particularly as a large proportion of the general public will use these applications without a second thought, often entrusting them with significant amounts of personal data. DevSecOps is developing into the accepted way to address the issues raised by the pace of change in today’s interconnected world. Currently it consists of a loosely defined set of techniques and tools, but it is likely this will become better defined as time goes by.
CertiKit is working on incorporating aspects of DevSecOps into our toolkits and it is likely that this will be a growth area in content in the future. As always, we will be keeping an eye on how this develops, as we continually update our products and knowledge.