- Security demands organizations create a dynamic, disciplined and risk-based approach to application development, which challenges the central goal of DevOps — move quickly from developers to end users, said Dale Gardner, research director at Gartner, while speaking during the virtual Gartner 2020 Security & Risk Management Summit Monday.
- The approach needs developers and security to "look at things as dispassionately as possible," but it requires an often deep-rooted change in culture, said Gardner.
- During testing, application security pauses the phases of development — requirements, design, build, test, release and support. But DevSecOps should strive for faster feedback, according to Gardner. By waiting, more data and feedback is generated and not attended to.
Traditionally, most testing occurs at the very end of the development process. There are some cases where "given the nature of the testing tool, that's actually the most effective place for that testing to happen," but swiftly returning quantified results to developers is still vital.
While companies might not yet be at that point, it's the future of DevOps. DevOps is "going to break application security," said Gardner. "And to be honest, I think that's a good thing."
Application security teams "tend to approach test results from the view [of], 'we need to fix everything.' And that can be difficult to do even in more traditional development environments," said Gardner. But that all-or-nothing approach "really throws sand in the gears of DevOps efforts."
Instead, security teams need to prioritize the most critical vulnerabilities, leaving other flaws for later iterations.
While there are tools to simplify tasks, in some cases organizations don't have the support from management to engage in a continuous feedback loop. But "if you're here, it's a barrier you have to get past," otherwise finding a balance between development and security is even more challenging.
"If I had one piece of advice to give you that would help improve application security, it would be to move application security activities as close as possible to developers and do it in a way that makes it easy for them to consume," said Gardner. If security can leverage a trouble ticketing system, where developers can easily find testing results, the less likely application security will fail.
Central in a trusted app development process is monitoring and analytics, propelling continuous improvement and deployment. DevSecOps has to navigate an endless feedback loop characterized by:
While feeding into:
Each side of development should seamlessly blend into one another through releases and adaptations of the products.
A secure design starts with outlining security requirements, threat modeling and open-source software governance. Verification needs an analysis of open-source code, and binary or protocol fuzzing, according to Gartner. External security measures take into account containers and infrastructure. And finally monitoring speaks to incident analyses.
During the monitoring process, the task becomes unifying DevOps with vulnerability assessment in physical environments. But problems in virtual infrastructure "brings us to the concept of immutable infrastructure," or going "all the way back into development" to fix and rebuild the whole application, said Gardner.
"Since we're working entirely with code, it's relatively easy to do this. And more importantly, we ensure that what we built and tested in development is what actually gets deployed into the production environment," said Gardner.