A Security Mindset and DevSecOps Go Hand in Hand

Organizations need to develop a security mindset that encompasses the lifecycle of all their devices, applications, and infrastructure. It’s the only way to effectively combat the prolific, adaptive threats targeting their business. What does it mean to have a security mindset?

It means embedding security into everything you do. When you develop a new app, you must make sure security is built into every aspect of its functionality. When you’re implementing a process, you must consider the security implications of each step and ensure appropriate checks are done to shut down any opportunities for an attacker to take advantage of vulnerabilities. Basically, you need to look at everything you create or do with an eye for security, to ensure it strengthens (or at least maintains) your stance.

Match or exceed the capabilities of attackers.
You need to match (or better yet, exceed) the capabilities of attackers. As they expand their ‘hit list’ to attack the ever-expanding universe of users, services (e.g. public, private, hybrid clouds), and devices (Internet of Things) that make up your environment, you need to add capabilities that allow you to identify and shut down all these attack vectors. As they use increasingly sophisticated tools that can operate autonomously to find and exploit your weaknesses/vulnerabilities, you need to adopt solutions, services and processes that can automate and orchestrate your defenses.

To address, we have been talking about the importance of implementing a secure cloud architecture that enables you to extend your on-premises security stance to your cloud infrastructure and services. We have also been talking about adding automation to help you keep pace with the fast-changing threat landscape.

It’s why we’ve seen a rise in development operations (DevOps), which brings teams and technologies together to deliver IT services in support of innovation, agility, reliability, and cost-effectiveness. It starts with establishing and applying technologies to achieve a common set of objectives and ensuring the continuous delivery of those IT services.

Ensure security is part of DevOps initiatives.
To truly adopt a security mindset, however, organizations need to ensure security is part of their DevOps initiatives, so security can be applied to everything – all processes, workflows, applications, systems, devices, etc. Given the size and complexity of the environment, the only way to operationalize the security mindset is to adopt DevOps solutions that can be used to automate and orchestrate as much as possible, we call this development security operations (DevSecOps).

Gartner estimates that by 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing for custom code, up from less than 10% in 2016. We are also seeing more specific security services introduced to the market, such as SecureDynamics’ SECHealth for Firewalls, which automates daily, routine administrative tasks to free up critical IT and security resources and enable them to focus on addressing threats in the environment.

The goal of these security services is to ensure the consistent deployment of capabilities and the consistent application of security policies across the environment, which typically consists of a mix of on-premises, virtual and cloud (public, private, hybrid) resources. The more complex and fluid the environment, the more we see customers turn to value added resellers to help them identify the right solution set and even augment capabilities, with managed security services, so they can securely migrate their workloads and effectively manage their ongoing operations. Underlying it all is automation, which enables the operations team to evolve and maintain an ongoing security posture that’s aligned with the business’ changing needs.

Successful “Adaptive Security Architecture” requires DevSecOps.
DevSecOps is an important step towards being able to adopt what Gartner has dubbed an “Adaptive Security Architecture” that can automatically address and eliminate weaknesses throughout the environment to shut down attack vectors and keep business operations and resources safe. Gartner describes this architecture in four phases:

  • Prevent. Blocking “attackers and attack methods before they affect the enterprise.”
  • Detect. Providing “continuous and pervasive monitoring” and using “advanced analytics” to identify advanced threats.
  • Respond. Identifying the root cause and scope of a breach to ensure the full extent of the attack can be remediated.
  • Predict. Learning from events and predicting “potential vulnerabilities, feeding them back into the preventive and detective capabilities to ‘close the loop.’”

  • We have seen when these tenants are in action, an organization’s security stance is much stronger. As a result, we expect to see more and more DevSecOps emerge to enable organizations to create this adaptive, effective security architecture that can defend organizations from the ever-changing threat landscape they are facing. It’s the only way to truly ingrain the security mindset, which is critical to changing the tide and finally giving organizations an advantage over attackers.