In some companies, security teams make it impossible for DevOps to deliver any new code until they fix the security issues in it
Chief information security officers (CISOs) are under growing pressures to find ways to overcome the consistent barrage of new cyberthreats.
Part of the strain locally is being driven by the introduction of new government policies, such as open banking. When it’s phased in from July 2019, the way banks handle customer data and how they approach security and privacy will be scrutinised by the public.
The increased expectation from customers across all industries to access secure and convenient services at their fingertips has given rise to an application development boom within organisations. And managing the fast-paced and ideas-driven DevOps community is one area of business that CISOs collectively find challenging, particularly when it comes to setting and enforcing secure systems and safe practices.
A relatively new discipline propelled by speed and ingenuity, DevOps emerged without in-built security. Furthermore, those in DevOps tend to push back on security requests due to the belief that such controls will limit their ability to innovate quickly.
However, without securing the development pipeline, the risks are high. In fact, CISOs need to rethink their approach to securing DevOps.
As Khadir Fayaz, vice president of global security strategy, engineering and architecture, at Pearson puts it, “All it takes is one developer making an error to result in access keys being checked into code repositories.”
DevOps tools can be compromised to take over applications or an organisation’s entire cloud network.
An example of this was when the details of 50,000 drivers of ride-sharing service Uber were stolen after hackers accessed a private GitHub repository used by Uber software engineers, extracting valid credentials. These credentials provided access to an Amazon Web Service (AWS) account containing the data which was stolen.
A recent study from researchers at North Carolina State University revealed that over 100,000 GitHub repositories contain exposed authentication secrets, including 85,311 unique Google API keys, 37,781 unique RSA Private Keys and 47,814 unique Google OAuth IDs. The researchers also found that thousands more repositories are leaking new, unique secrets every day.
To combat the challenge, CISOs must tailor their management approach to the specific needs of the DevOps community. Reshaping how security policies and procedures are enforced, to limit and modify each user’s access to DevOps tools and applications, will demonstrate to developers how restricting access to privileged credentials can help protect an organisation from malicious attacks.
Showing - instead of telling - the DevOps community why managing secrets and privileged credentials is important, and how the practice can be successfully built into application development, helps demystify any misconceptions about security.
“Instead of having developers look at policies, standards and frameworks to figure out what they should do, build consumable security components that are easily adopted. Think in terms of, ‘How do I allow my developers to do the right thing without stifling this agility?’” suggests Fred Gibbins, senior vice president and chief information security oOfficer at American Express.
CISOs should never be complacent
One example of this is breaking the build, a strategy that has been used by companies like Starbucks. With this approach, security teams make it impossible for DevOps to deliver any new code until they fix the security issues in it. This ensures risk scoring is built into automation tools, so that if the risk exceeds a certain threshold, the build automatically breaks, and developers need to fix it before they can deliver.
CISOs’ that tailor their approach to help DevOps teams understand the need for security by design illustrate their understanding of the DevOps space, how the community works, and what their needs are. CISOs who have made this step have expanded traditional security programs, such as monitoring privileged access across the tool chain, to the DevOps community with little protest.
At the same time, transitioning to an attacking mindset will ensure CISOs are more likely to be able to detect an incident or potential incident before it happens. This proactive approach to security, however, requires a shift from legacy approaches to security.
In the past, CISOs have held a reactive mentality towards security, relying heavily on people being compliant to certain policy documents and having a centralised security management system for all company secrets and credentials.
Introducing security by design and encouraging the cross pollination of security and DevOps teams, should help to remove any feeling that security is authoritarian and instead foster a collaborative partnership between the two.
There a few ways to do this. Setting up a centre of excellence or engineering council with developers and security members who are responsible for selecting and configuring tools, enhancing the developer experience, and promoting good engineering practices is one way.
Another is appointing security champions or community leaders to serve as resources to drive the implementation of practices across the company.
“If the overall culture doesn’t allow security to be partners with DevOps environment, security runs the risk of being a ‘check the box’ compliance exercise. Security awareness also has to be embedded in the company’s culture – especially with DevOps team members,” says Dawn Cappelli, vice president and chief information security officer at Rockwell Automation.
Getting the challenge of integrating a security mindset into DevOps practices right will become even more important as new markets of IT such as the Internet of Things spin up. Using their approach to DevOps security as a standard in the new era, CISOs will not only have to understand new technologies but also modify their method to managing security protocols and safe practices.
CISOs should never be complacent. Continual reviews of policies and governance will keep organisations on high alert about new and potential attacks.
Andrew Slavkovic is solutions engineering manager ANZ at CyberArk
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.