bluebay2014 -

DevSecOps not limited to coding, says analyst

DevSecOps is seen as a way of ensuring application security, but security leaders must understand that embedding a security culture and taking the inter-dependencies of new development frameworks into account is key, says KuppingerCole

Security leaders need to understand that DevOps and security, or DevSecOps, does not end with software code, according to Alexei Balaganski, lead analyst at KuppingerCole.

“It extends way beyond coding processes into data security operations, which is aimed at ensuring data security throughout the development process,” he told Computer Weekly.

Balaganski believes that to improve the security of software applications, there needs to be a shift away from business-driven, IT-driven and compliance-driven software development to security and software developer-driven software.

“All too often we still see the business making demands of development teams and setting delivery deadlines that do not take security into account,” he said.

Security also needs to start with education, said Balaganski, and before technology is even considered, a security culture must be entrenched throughout the organisation or enterprise, its employees and its business processes.

“When it comes to the technology side of security, DevSecOps is gaining in popularity as a way of making everyone, including the laziest of developers and most negligent employees, embrace security rather than seeing it as a hindrance to their work,” he said.

A focus on data security operations within DevSecOps is one of the emerging trends in terms of ensuring better data security within organisations.

“A few organisations are beginning to understand that application security is not just about coding, but is also about how the application handles data and how the developers handle data,” said Balaganski.

This means that data that is used for testing application prototypes has to be compliant with data protection regulations. “You cannot just give every developer working on an application a copy of the production database of customers’ personal data,” he said.

At the same time, Balaganski said no developers are going to wait for responses from the data protection team to requests for test data, and are likely to steal a copy of the production database to save time.

“Therefore the data security operations approach is to instead integrate data delivery and data anonymisation processes into the development process,” he said.

Read more about container security

One way of doing this is by using data virtualisation technologies so that the sensitive data remains on-premise in the secure datacentre, but developers who need test data get access for a limited time period to anonymised and masked data for testing purposes, without any copy of the database being made.

“Technologies like this exist to combine development and security in an effective way,” said Balaganski. “But the challenge for organisations is getting security, development and data protection come together to adopt and use the technology collaboratively.

“Again, it comes back to education and promoting security awareness. Just as there was a paradigm shift from traditional software development to DevOps, data security operations is coming up as the next potential paradigm shift, particularly as data becomes a more sensitive issue with the introduction of data protection regulations such as the EU’s General Data Protection Regulation [GDPR].”

Another interesting trend that security leaders should be aware of is the use of containers to deploy and run applications, said Balaganski.

“They are developing as a platform for running applications to reduce the workload on developers in terms of infrastructure maintenance and the tangible business need of supporting hybrid environments comprising on-premise and cloud-based applications, but special care needs to be taken from a data security point of view,” he said.

A recent example of things going wrong, said Balaganski, was the Russian airline Aeroflot, which left open to the public internet a Docker registry server that was used to deploy containers and contained all the source code used to run its website.

“Aeroflot is one of the biggest companies in Russia in a highly regulated industry, and so it has invested a lot in securing its website as a primary customer-facing platform,” he said. “But they totally forgot to secure their development environment, giving potential attackers insights into vulnerabilities they could exploit, which is a prime example of an often-overlooked area where security and development have to meet, but often do not.”

Container security

The focus is on the business and development benefits of Docker for building, distributing and running containers and the Kubernetes container orchestration system, said Balaganski. “But container security is an area that has to be addressed urgently,” he added.

“There are companies offering fully managed container platforms, but you don’t hear much about container security from these suppliers. I don’t see any out-of-the-box solutions, but it has to be addressed.”

One area that does appear to be getting attention is application program interface (API) security, said Balaganski.

“As recently as three and a half year ago, although there were dozens of API management suppliers, there was only a single company claiming to be an API security supplier,” he said. “But that has changed in the past two and a half years, and there are now at least five, which is a positive development.”

However, security leaders need to pay more attention to the topic. According to Balaganski, even though a large proportion of organisations’ websites are API-based, relatively few see the need for API security, relying instead on traditional web application firewalls (WAFs).

“This is a problem because there are so many API-specific threats out there, and APIs are becoming the most-used customer-facing channel and the primary source of revenue,” he said. “So if the API were compromised, it would not only mean downtime, it could also lead to massive data breaches and data protection compliance violations.”

API security

In this context, said Balaganski, security leaders need to recognise that the days of relying only on a WAF are over and that they need to follow the example of banks by investing in API security as websites become increasingly API-centric, especially companies that depend on APIs, such as Netflix and Uber.

The importance of container security and API security is underlined by the increased use of a microservices architecture, said Balaganski.

“Microservices basically boil down to containers plus APIs,” he said. “The containers are the infrastructure and APIs are the outward-facing interfaces, so microservices security is about focusing on containers and APIs.”

Security leaders need to take an approach that ensures the consistency, availability, compliance and security of data, said Balaganski.

“It is important not to focus on containers, APIs, microservices and data in isolation, but to include all of them in the security strategy, as well as all their interdependencies and interconnections,” he said.

Balaganski will discuss these topics in more detail in a session entitled Containers, Microservices, APIs: The Latest DevOps Security Trends at the Cybersecurity Leadership Summit 2018 Europe in Berlin from 12 to 14 November.

Next Steps

Apiiro wins RSA Conference Innovation Sandbox Contest

Read more on Application security and coding requirements

Data Center
Data Management