Do you know what you’re missing out on without DevSecOps? And if you’ve already embarked on it, you need to know what you may have overlooked…

What is DevSecOps? Why and how is DevSecOps a cyber imperative for organizations today? Whether you’ve embarked on it yet, it’s imperative you know what could be overlooked and what you’re missing out on as a result.

CybersecAsia sought out Paul Hidalgo, DevSecOps Specialist, Trend Micro, for insights that can help us answer these questions.

What is DevSecOps and what are people overlooking when examining it?

Hidalgo: DevOps is about developing applications fast. Automating security is about delivering security fast. A perceived lack of adoption of DevSecOps can be ascribed to how security is sometimes misconceived as a roadblock. With automation, businesses are able to integrate security into the DevOps process and toolchain without causing unnecessary friction and to-and-fro between development and operations teams.

For DevOps teams, automated security helps accelerate lifecycles while alleviating the burden of manually testing the application for vulnerabilities or threats. It’s thus unsurprising that 59% of surveyed organizations are automating security into their DevOps processes.

Automation can be as simple as applying draft detection when specific controls change, or automatically detecting misconfiguration and fixing it.

Additionally, process automation can also help to reduce human error while security that is adaptive, contextual, and software-based should be prioritized. Once security functionality is established as services via APIs, it is easier to embed into DevOps workflows in an automated manner. It can enable crucial capabilities such as continuous scanning of container images for bugs and malware, along with run-time protection.

In the early stages of a project at least, it may be a good idea to prioritize visibility and monitoring rather than enforcement and blocking, so that security is not seen as a drag on innovation.

What are the opportunity and business costs in not adopting it?

Hidalgo: Based on a recent global DevOps survey we conducted, almost 9 in 10 (89%) of IT leaders admitted they were facing issues implementing a true DevOps culture in their organization. The top three challenges are: increased security complexity (40%), complexity of the IT infrastructure (39%), and lack of staff training or awareness of DevOps within the wider organization. The close next is a lack of communication between the developer, security, and operations teams (34%).

New technologies are quickly evolving and in order to secure new cloud applications, organizations have to understand these technologies – not just how they work, but also how customers use them, how developers write software for them, how they’re deployed, and how the infrastructure team uses them. The simplistic approach of looking for “security for X” technology would almost certainly result in a lot of chaos.

Make the case for the use of containers in DevSecOps automation – what kind of opportunities does this bring? Additionally, how is this integrated into the CI/CD pipeline?

Hidalgo: Trend Micro has been providing technologies to help companies secure dynamic environments. Virtual patching has been the first foray into security automation with the ability to learn what is inside your servers so you can secure them properly, helping companies mitigate risk and buy time to patch, not just for VMs but also for the container environments.

What’s driving the adoption of cloud containers is the need for speed. Google has been running all its software in containers since 2014. Numbers have it that it fires up two billion of containers in a week.

But containers are not devoid of security pitfalls. Kenna Security’s 2019 project reveals that many of the top 1,000 most popular containers from Docker Hub contain some type of vulnerabilities. Over 20% of the containers have at least one vulnerability considered high risk. The oldest container on the list – abh1nav/Cassandra – had 1.5 million pulls, and is home to over 431 open vulnerabilities. The container Keyvanfatehi/sinopia, while pulled 1.7 million times, has the highest number of vulnerabilities – an alarming 2,004.

Now we are moving ability to detect issues in the pipeline with Smart Check, a tool that you use in the DevOps pipeline to look at malware, vulnerabilities, and content such as credit card numbers. It also helps with compliance such as PCI-DSS. This can be integrated in the CI/CD pipeline so that developers can get feedback into if the containers are laden with malware or vulnerabilities.

In the future, we are even moving security to the left with App Protect, a runtime application security platform. Unlike static code analysis, App Protect allows you to spot code behaviour that may lead to breaches and vulnerabilities. Being integrated in code, developers can find issues while writing applications and running them.

With teams having the benefit of working across the lifecycle, and as a result developing a set of skillsets that are not limited to a single function – is there still a need to have a central security operations team? What are the differences in the skills/mindset/training needed for DevSecOps?

Yes, absolutely, but the tasks will change. Evolving security teams will have a more similar skillset to developers: writing code to detect, give insights, and possibly remediate attacks.

Applying a DevSecOps mentality is all about automating mundane tasks. This will free up time to do cool stuff – being the hunter instead of the hunted.

In terms of adoption, what do you think will trigger companies to embrace DevSecOps in droves?

Hidalgo: As companies move into the hybrid cloud environment, DevSecOps should become the underpinning of their security operations. It’s projected that by 2019, 70% of enterprise DevOps initiatives will integrate automated security as well as vulnerability and configuration scanning for application packages.

While the goal is the same through the years, the pace of innovation is just going to get faster. I believe that DevSecOps thinking is not just about the ability to configure security tools quickly or to detect threats in the pipeline, but rather how fast we can integrate securing data as we innovate and deliver value.