Shifting Security Left
The InfoSec Consulting Series #6
By Jay Pope
Building on our Technical Debt article, we’re going to discuss the benefits of ‘shifting security left’ in your development pipelines.
Pen Testing vs DevOps (Shifting Security Left)
Many organisations have embraced Agile as a development methodology. Its potential for innovation, continuous delivery and risk reduction is compelling. Also gaining traction is DevOps, combining the development and operations phases. However, both disciplines are being overtaken by the need to ensure that operational systems are secure. Bullet proof. Traditionally, security testing is carried out by penetration testers. These specialists define a test strategy for the application and develop tests to verify that the software is resilient to various attack scenarios such as denial of service, authorisation bypasses, and SQL injection. How can organisations marry the speed of Agile and DevOps with the calm deliberation of penetration testing? As realists, we expect the approaches to collide; developers being constrained by manual testing stages, testers overwhelmed by the chaos of constant change. It needn’t be this way. Here we discuss a methodology known as DevSecOps and how it can deliver the best of both worlds. We weigh up the challenges for DevOps and recommend how organisations can implement DevSecOps in their development process.
What is DevOps?
DevOps is a catchall term used to describe the unification of software development and its operation. It involves the processes of development, delivery and operations, tools (to automate those processes) and finally a team culture. The team members see themselves as responsible for the whole lifecycle; no “throwing over the wall” for someone else to deal with. In today’s world, systems must be bulletproof to hackers, ransomware, political and business espionage. This creates two challenges for DevOps:
- They need to extend their (already broad) skillset into security;
- The discipline of considering security vulnerabilities can be perceived as being at odds with their agile work practices.
What is Penetration Testing?
Penetration testing is a process of testing a system or application to find vulnerabilities that could be exploited by a hacker. Traditionally, it is carried out as a one-off exercise late in the development cycle, when the system is sufficiently stable and can be evaluated holistically. Pen testers are specialists; they are highly qualified in testing techniques and keep up to date with the latest hacking approaches. Pen testers must think like a hacker; a very different mindset from user-experience-driven development. Before they can apply hacking methods, pen testers need to build a test environment to mimic the real world. This can be a challenge for Cloud as the test will involve simulating denial of service or kernel attacks. These are anathema to a cloud service provider. Pen testing IoT and mobile applications is also challenging owing to the multiplicity of devices and the need for manual steps.
What is DevSecOps?
DevSecOps is an extension of DevOps and is commonly referred to as shifting security left. Security is implemented throughout the lifecycle at each stage from planning, through development and into operation. There is still a role for traditional pen testing, but this is carried out relatively late in the cycle, complementing the tests executed during the process and hopefully rubber-stamping the system’s security credentials. Pen testing may not be necessary for every cycle, but it should also be carried out at periodic intervals as part of a broader security assurance strategy. Gartner’s report – DevSecOps: How to Seamlessly Integrate Security into DevOps says: “Information security architects must integrate security at multiple points into DevOps workflows”. This must be achieved collaboratively and transparently to the development team to maintain the agility and speed of DevOps.
How Can Organisations Implement DevSecOps Into Their Processes?
As with any change of practice, to be successful in shifting security left, there needs to be buy-in at high level. At executive level, there will be someone responsible for information security – sometimes in a CISO role. Getting the backing of this person, together with a senior quality role, will assist in driving through changes. Shifting security left means including security specialists in the development team. These people are highly sought after and unlikely to be home-grown. Their purpose, apart from knowledge of good security practice, is to impart their skills to the wider team and encourage good security discipline. It’s essential that the whole team be brought up to a good level of proficiency in order to apply it on a project.
Security assessments and tests need to be implemented at each step in the DevOps lifecycle. During planning, coding, building, testing, release, deployment and operations. This will ensure that security and compliance are built into the software. Specific considerations are:
- Team mindset;
- Empower the team and encourage them to feel that everyone is responsible;
- When assessing security take the viewpoint of a hacker, rather than an end user;
- Training and qualification;
- Educate all employees on security risks.
- Train the development team on security specialisations and encourage them to achieve certification;
- Code and build;
- Establish a continuous integration and continuous delivery pipeline and assess its security – take care with private keys;
- Follow good agile methods – short sprints with frequent deliveries;
- Use code analysis tools and peer code review – check for defensive coding;
- Thoroughly investigate Open Source components – these are very attractive under time pressure but can introduce vulnerabilities;
- Change control;
- Include security and compliance in review and approval processes;
- Turn on change tracking and periodically check that code pushes etc. are reflected in the change log;
- Check that compile and build checks are clean;
- Security checks;
- Carry out static analysis checks in the development tool;
- Include security functions in unit tests;
- Use a dynamic analysis security testing (DAST) tool at acceptance stage;
- Include compliance in automated deployment and runtime checks;
- Investigate vulnerabilities;
- Implement services to detect threats, follow up on alerts;
- Carry out periodic checks for vulnerabilities;
- Highlight vulnerabilities found during team meetings and use them as a learning exercise.
Can Pen Testing Co-exist With DevOps?
DevSecOps can help organisations to achieve DevOps’ agility and innovation while delivering more secure and stable systems. Pen testing still has a role to play, but at specific product stages, complementing the testing done by the team.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.