Every year, during the holiday season, we see major attacks on organizations or critical infrastructure. In Dec. 2020, it was ransomware attacks on health care institutions. And last month, it was the Log4j vulnerability, which has affected myriad applications. According to news reports, there have been millions of cyberattacks on companies since Friday, December 10, because of this vulnerability. Our proactive response to holiday hacks should be DevSecOps practices.
By Daniel Kaar, Global Director, Application Security Engineering at Dynatrace
Organizations need to stop and ask, “Are we ready to prevent hacks?” If cybersecurity isn’t built into developer operations, the answer is no.
Even if the answer is yes, given the ever-changing threat landscape, it might be time to fortify organizational security measures by putting DevSecOps — which automates the integration of security at every phase of the software development lifecycle — into practice.
Traditionally, developers have addressed application security through a checkpoint after a completed sprint but in a team functionally separate from DevOps. This antiquated and siloed approach creates risk and slows the development process and the reaction time, contrary to a modern software development approach.
By putting DevSecOps into practice, organizations can ensure applications are released without risk. Gartner defines DevSecOps as “the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible.”
DevSecOps connects three different disciplines: development, security, and operations. The goal is to seamlessly integrate security into a continuous integration and continuous delivery (CI/CD) pipeline in pre-production (dev, or development) and production (ops or operations) environments.
More Threats Places Primacy on DevSecOps
In advance of the 2021 Labor Day weekend, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert outlining increased cyber-targeting during holidays. According to the release, holidays and weekends are appealing times for cybercriminals to act; make it a holiday weekend, and the risk is even greater.
“In some cases,” the alert notes, “this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.”
All cyberthreats are on the rise, even in potentially overlooked domains. In 2022, for example, exploitation of containers in Kubernetes environments is predicted to increase. Surges come as DevSecOps teams continue to grapple with greater application, cloud, and IT complexity while also dealing with employee burnout during the height of the pandemic.
In short, businesses need a stronger approach to security to avoid holiday hacks and beyond. Moving security sooner in the development process (shift-left) brings security to the forefront of all developer, business, and innovation functions. At the same time, it is critical to have a shift-right strategy in place, i.e., continuous monitoring of (high-risk) production environments, a very common gap in most organizations’ application security tooling landscape. Here are a few best practices.
Automate Where You Can
The goal of DevSecOps is to release better software faster – and goes beyond DevOps to detect and mitigate software vulnerabilities in production efficiently and fast. In short, DevSecOps supports speed and innovation safely from the start.
The degree of automation present in most CI/CD toolchains requires complete automation of DevSecOps security tooling.. It needs to provide information about the security of your application in parallel with development and testing so that vulnerability scans and other security measures don’t slow down development. Ideally, there should be no manual steps, configurations, or custom scripts.
Automation tools streamline and simplify security practices like vulnerability scanning and evaluating the use of vulnerable libraries, which also helps mitigate security team burnout. By automating mundane security tasks in the development cycle, DevSecOps teams are free to drive faster, more secure release cycles and accelerate innovation for the organization and its customers.
Shift Left, But Do Not Forget Right
While the benefits of “shifting left” — conducting security assessments early in the software development lifecycle before vulnerabilities find their way into production — are clear, DevSecOps should also extend to production environments, known as shift right. After all, production is where most attacks happen, and the biggest damage eventually occurs, posing the biggest risk to organizations.
Observing an application while it is running in production provides greater insight than just scanning source code alone. Detecting new zero-day vulnerabilities, for example, requires monitoring existing applications in the production environment. Some applications in production may not have been properly run through delivery, and important security controls were bypassed. As a result, apps could not be scanned by security tools in the development phase.
Avoid Holiday Hacks and More
Cyberattacks disrupt business, cost significant amounts of money, and damage reputations. A malicious attack during the holidays could be especially detrimental. Knowing it’s prime time for bad actors, it’s a good time to examine the security gaps in the application development process.
In today’s multi-cloud and hybrid environments, the most resilient applications, IT ecosystems, and businesses will have security as a top priority all along the development process. DevSecOps makes this possible.
With real-time security intelligence across pre-production and production environments and automation that can help manage every stage of the DevSecOps workflow, teams can produce better, higher-performing, more secure software faster and with less effort.
About the Author
Daniel Kaar is the Global Director of Application Security Engineering at Dynatrace. With his team, Kaar helps organizations around the globe to embrace a modern, next-generation approach to application security.
Kaar had worked in various software engineering roles before moving to a customer-facing role. Over the past decade, he has been involved in hundreds of customer engagements, hosted dozens of webinars, and created several thought-leadership articles.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG, and CISO MAG does not assume any responsibility or liability for the same.