Shifting Security Left: How to Bake Security into Your Software Delivery Process
Despite the number of high-profile security breaches that have occurred over the last few years, there remains, according to Derek Langone, CEO of XebiaLabs, a lot of risky behavior happening with software delivery. This behavior is fueled by demands that nothing, including security, slow down the business. But in 2018, security is a benchmark for quality in software. And if your business isn't providing quality, the speed at which you deliver products doesn't matter.
We recently sat down with Derek to get his thoughts on the dangers of treating security in application delivery as a low priority and how to shift security left in the delivery pipeline. Here's what he had to say.
1. DevSecOps is a hot topic right now? Why do you think that is?There’s still quite a bit of risk around software delivery in organizations. For example, not long ago, I read some pretty disturbing research (by ThreatStack) about the state of security in software development. It said that 52% of companies cut back on security measures to meet business objectives, and 68% of respondents (which included developers, security, and operations staff) said that their CEO demands that DevOps and security teams don’t do anything that slows down the business. Another 62% admit that their operations team pushes back when asked to deploy security technology. But, over the last few years, we’ve seen too many examples in the news of security breaches in major companies—Equifax, Yahoo, eBay, Target, Uber. In 2017, the average cost of a cyber attack for enterprises was estimated at $1.3 million. That’s the average. And so DevSecOps is beginning to catch on as companies start thinking about how they’re going to use DevOps to be more innovative and deploy much more frequently, while keeping their software secure.
2. As the CEO of a company that makes DevOps software, what does shifting security left mean to you?Shifting left means incorporating security into the development cycle from the very beginning, through to the point that the software is up and running. Security should not be a bolt-on practice just before an app launches. It involves making cultural changes around security that allow developers and other participants in the software delivery cycle to address security autonomously, especially when the ratio of developers to security may be as high as 100:1. It also involves making process changes that incorporate automated security and testing across the entire pipeline to make sure that code is secure and security cannot be circumvented. And the thing is, great teams with great developers want to build great software and deliver it to their users quickly. High-quality software is secure software—nearly every developer I’ve talked to acknowledges this today, so empowering them to help is really good for them and for the business.
3. How do we empower developers and others to address security “autonomously”?There are many approaches for doing that and for generally starting to move security left. Gene Kim actually addresses several approaches in The DevOps Handbook. Things like automating as many security tests as possible so they run alongside all other automated tests and run continuously in the deployment pipeline. Also, integrating security knowledge into shared source code repositories, such as pre-blessed security libraries and hardened infrastructure stacks that are available for developers. These things help developers work autonomously so they don’t have to be held up until security steps in to check that safeguards are in place. Security requirements should form part of the product backlog and be prioritized to ensure that the requirements are incorporated into application development. Additionally, companies should invite their security colleagues to each sprint demonstration and review session, which usually takes place at the end of a sprint. Of course, security issues will occur, and these should be tracked and used as learning opportunities, resolved within the code, and validated with enhancements to the organization's automated testing processes. But to really pull it all together and shift security left in your pipeline, you need a DevOps platform that provides both release orchestration and deployment automation. This is the perspective I come from when thinking about security. You need a DevOps platform built for the enterprise if you’re going to enable your developers to work autonomously, integrate security staff and steps into your release process, meet compliance requirements, and bake security directly into the pipeline with the appropriate gates, returning code back to the developer should a security violation be identified. Automation of security steps into the development, release, and deployment pipeline is critical. This starts with both static and dynamic code analysis, automated scanning of source code repositories for vulnerability analysis, automated patching, and the application of automated penetration testing. All of these are enforced with the Xebialabs DevOps Platform.
4. What are the dangers of not shifting security left?Generally speaking, the costs of ignoring security are that you could lose everything from your customers’ trust to your intellectual property. Again, we’ve seen enough news the last couple of years about the huge losses associated with ignoring security until there’s a breach. There’s also been a large increase in the number of companies using open source tools, the cloud, and the Internet, and these tools can open you to significant vulnerabilities. You must be able to track developed code all the way through the pipeline and trace requirements to that code, so when a new vulnerability is identified, you know exactly where it’s being used and how it’s configured, and you can quickly remediate. If you’re in a highly regulated industry, you need to also think about building in compliance conformance, which our platform empowers enterprises to deliver. In healthcare, for example, there’s HIPPA, in financial services there’s the Gramm-Leach-Bliley Act, AML, and PCI DSS. Plus, on May 25, 2018, the European Union began enforcing the General Data Protection Act, or GDPR. Overall, compliance requirements are only going to increase, and software development is going to keep accelerating. Automating compliance checks where you can and building in gates for others, standardizing your processes, and having full visibility and control so you can track everything is what enterprises need to speed up delivery without sacrificing security.
How the XebiaLabs DevOps Platform helps bake security into the pipelineEnables self-service deployments of approved hardened environments for developers and other teams across the enterprise, while maintaining governance and control over the release and deployment process.Gives security and risk management teams full visibility into all release and deployment processes.Provides deployment automation, allowing for the standardization of complex deployments to any target environment—from cloud and containers to middleware and mainframes.Builds security testing into each step in the software delivery pipeline. Thanks to integration with code analysis tools, allows you to automatically check application code during the release process and take action if quality checks fail. You can also easily set up quality gates and approval checkpoints throughout your release pipelines.Provides situational awareness capabilities, so you can assess potential security risks associated with each deployment, and stop them before they make it to Production.Gives you a single place to manage infrastructure and environment configuration data, so you can more easily enforce control over access to target systems.Enables role-based access control that provides granular permissions for all release and deployment tasks. Integration with LDAP, Active Directory, single sign-on, and two-factor authentication solutions makes managing users and permissions easy and further ensures the effective application of separation of duties.Provides a model-based deployment approach, which accelerates deployment time, while reducing errors and failed deployments.Automatically collects and maintains evidence for compliance audits and presents it in a single system of record for the end-to-end release process.Offers built-in intelligence that analyzes your software delivery pipelines and highlights trends and anomalies. This intelligence allows you to address problems early, predict security risks, and make data-driven decisions about process improvements.