May 2, 2019
Ep. #29, The State of Open Source & Docker Security
In episode 29 of The Secure Developer, Guy sits down with Liran Tal, Developer Advocate at Snyk, to discuss the state of open source, Docker...
In the past, many teams were able to get by with security as an afterthought — or so it seemed. But as development cycles have become faster and devices more connected than ever before, there’s no mistaking the fact that every team needs to make security a priority.
More organizations are starting to implement DevSecOps and integrating security into the development process; one study found that while only a small percentage have fully-implement DevSecOps today, 68% of companies plan to use DevSecOps practices within the next two years. We chatted with Mike Kail CTO of Everest.org, to learn more about what teams need to know about DevSecOps as they begin their journey towards shifting security left.
As DevOps practices gain broader adoption, security is often still a gap in the process; according to a survey of DevOps practitioners, only about half of organizations with mature DevOps processes perform automated application security analysis throughout the development process.
But the cost of not integrating security into application development is high. A study from IBM found that businesses without formal security protocols in place spent on average $4.74 million after a breach. “Every year there are thousands of data breaches, largely a result of source code and application-level vulnerabilities, but many organizations still take an antiquated approach to application security,” says Mike. “Organizations need to flip their security approach from defensive to offensive in order to anticipate and thwart attacks before they happen.”
“The biggest barrier to DevSecOps is culture, not technology,” says Mike. “Development teams are more concerned with delivering new features and functionality at an extremely high velocity. Security teams are often seen as a blocker to delivery. They can create a lot of fear and uncertainty. To successfully transition to a DevSecOps methodology, both teams must be willing to make application security an integrated strategy and continue to drive security awareness for developers.”
Mike suggests that teams should look to successful implementations of DevOps as they model a more progressive, security-focused culture. “The core tenets of DevOps are collaboration, automation, measurement and sharing. We need to build a culture based on those ideas for application development and security.”
For many large initiatives, the first questions a team might ask are, “Should I hire more people for this?” or “Do I need additional software/tools for this?” But for teams that are keen to start implementing DevSecOps, Mike warns against investing in tooling or hiring too early. The shift in your existing culture is critical to the success of a DevSecOps process, and that putting the focus on new hires or new infrastructure can create additional roadblocks to that shift:
“A scale-out approach works extremely well for most infrastructure architectures and applications, but it is completely ineffective in terms of additional security tools and hiring more Security Engineers. This shifts the Security team even farther away from the Development and Delivery process and it doesn’t embrace the core tenets of the DevOps culture,” says Mike.
Communication is at the heart of modern security practices — whether that’s building better communication practices internally or creating intelligence sharing relationships with other organizations. DevSecOps is still a new and evolving discipline, and organizations that are just getting started can benefit from learning from other teams with more mature DevSecOps practices already in place. Mike recommends checking out #DevSecOps on Twitter to get vendor-neutral input on the space. For more from Mike Kail on DevSecOps, application security and more, check out his Medium blog.
Developer companies face a unique set of challenges when it comes to designing, developing and selling secure products. Join us for DevGuild: Enterprise Security on November 14th for a half-day conference featuring CISOs from organizations like Atlassian, Hashi Corps and Splunk as they discuss topics including “Democratizing Security from the Top Down” and “Disclosing Incidents from Routine to Breach.” Learn more and buy tickets to DevGuild here.