As organizations look towards DevSecOps as a way to infuse security throughout the software development life cycle while at the same time accelerating releases, more sides of the business have their hands on deck regarding security. However, it’s still the security side that’s on the hook when a major breach happens.
“People like to say that everyone owns security now and that everyone is responsible, but in the end they will blame security,” said Eitan Worcel, the AppScan product manager at HCL Software.
The security side encompasses the CISO, the traditional security architects, network security teams and application security teams that are in charge of overall security procedures and cloud-security posture management tools.
Within the organizations that are enacting DevSecOps, the security team no longer has the mandate to block software from going into production due to today’s quick iterations. As a result, security teams now have to engage more with developers and the business side to get them up to speed on security standards and practices, and to work together with them on what tooling and knowledge can be implemented to secure the process as much as possible.
“Security should have the last say, but security also needs to understand that they need to partner with the developers and everyone and that they’re not a street cop anymore,” Worcel added.
Today, the role of the CISO has greatly expanded and has come under greater oversight from regulators, executive teams and boards of directors, and that has put greater pressure on the information security function to be more agile and flexible than ever before. A Gartner survey “CISO Effectiveness: A Report on the Behaviors and Mindsets That Impact CISO Effectiveness,” conducted last September, found that only 12% of CISOs are considered highly effective.
These key challenges that organizations are facing were compounded as a result of the pandemic, which shifted workspaces and workloads off of traditional networks, leading to endpoint diversity and a shifting attack environment. Ransomware attacks — such as the recent attack on the Colonial Pipeline in May — and business email compromises have become particularly worrisome.
Security personnel hard to find
Organizations looking to strengthen their security tactics soon discover that finding the right security personnel is not easy.
“Eighty percent of organizations tell us they have a hard time finding and hiring security professionals and seventy-one percent say it’s impacting their ability to deliver security projects within their organizations,” Peter Firstbrook, the research vice president at Gartner, said at the Gartner Security & Risk Management Summit, which took place in March.
Organizations now recognize how integral security is to their risk management along with regulatory compliance.
Some have even decided to manage security all the way at the top and are beginning to create a dedicated cybersecurity committee at the board level that’s spearheaded by a board member or third-party consultant.
By 2025 Gartner predicts in its 2021 Board of Directors Survey that 40% of the board of directors will have a dedicated cybersecurity committee as opposed to the mere 10% that have one today.
Communicating about security
Currently, there are many tools and methodologies that security teams and developers can use to encourage communication between one another to make applications more secure.
The security architects first need to step back and look at the overall approach and figure out what kind of security requirements are appropriate for this application, what sort of role it plays in the organization and whether it’s sensitive or not, according to Dale Gardner, a senior director and analyst at Gartner.
“You can do things like threat modeling, risk assessments to decide what sort of security requirements are appropriate. You might decide that some sort of authentication and access control was appropriate or some kind of a web application firewall or some other protection is needed,” Gardner explained. “So there’s a lot of valuable information that comes out of that that helps get you a good foundation for building a secure application.”
Security teams can also mentor a security champion — often a developer that shows interest in security that can serve as a conduit for delivering security best practices to the development side, and to also address developers’ needs.
Another way to bring developers up to speed on security training is by providing “bite-sized” continuous targeted training on a given task within their work environments, according to Robert Haynes, open source and SCA evangelist at Checkmarx.
“If this team has logged a few of these particular problems with security, whether that’s input validation or whatever the secure coding practice they may be struggling with may be, I want to be able to deliver targeted, reasonably short training sessions for them so that they can go at their own pace,” Haynes said.
It’s important to provide developers with the most up-to-date knowledge because they’re constantly gaining more influence in what is being done and are taking on more responsibilities. Full-stack developers and those who are writing infrastructure as code are gaining more responsibilities of what gets put out, be it a Kubernetes YAML file or a cloud formation template, or Terraform that can often present huge vulnerabilities for the organization, Haynes added.
In addition to the developer side, the business side of an organization needs to be included at the security level so that they can understand what the device is doing, what is the value, but also what is the risk to the organization from that application?
“If the developers are working on an application that deals with customer information, credit cards and it’s up in production and everyone has access to it, it’s a big risk to the organization and the business owner should have the power to prioritize and say that there shouldn’t be any vulnerabilities here,” HCL’s Worcel said.
One of the major challenges that commonly occurs between both the security and developer sides is figuring out which vulnerabilities need to be addressed first, and this is where the tooling can come in to streamline and help developers prioritize the most serious vulnerabilities first.
“I’ve seen pushback from developers that security is just another thing being lumped at my feet but also, I’ve never met a developer who didn’t want to make good software,” Checkmarx’s Haynes said. “At the end of the process, they get some sort of spreadsheet back from a security team with lots and lots of red pen on it and half the time, the things that have been highlighted aren’t really relevant or correct. Then they’re kind of in a hard place, but if you give them the experience, if you give them tools that they can use as part of the software build process that give them fast feedback and you can give them some easy-to-consume training, then developers are more than happy to build secure software.”
Avoiding tool sprawl
Organizations need to make sure that they correctly define what problems they aim to solve with a tool to know what to look for. Vendors sometimes force companies to use the tool that they offer rather than trying to fit it to the use case that the company has, according to HCL’s Worcel.
With increased complexity and increasing attack surfaces for applications, it’s easy to get mixed up in a tool sprawl, which is why another major trend in the security field is tool consolidation to “solve as many problems as possible with as few tools as possible,” Checkmarx’s Haynes said. Teams are looking for consolidated tooling that they can fit to their particular use case and can access through a unified platform.
The consolidation trend continues with the expansion of interactive application security testing (IAST) tools, which help get rid of redundancies and the flood of alerts that static or dynamic testing tools are guilty of.
“When I’m using static analysis, for example, we find X amount of issues, and then when I add dynamic, I will add another Y amount of issues. And now I have X plus Y issues where I couldn’t
even handle half of X. What we are doing now is called auto-correlation, whereby the fact that you are adding interactive application security testing, we are able to consolidate issues that were found in different technologies,” HCL’s Worcel said. “This reduces the amount of work that the developer needs to do, reduces the amount of work that has issues that they need to triage and to fix because we can merge them.”
Another major trend in the security tooling space is the expansion of software composition analysis (SCA) tooling, which automates the visibility into open-source software for the purpose of risk management, security and license compliance.
While using open-source code within the organization can speed up a lot of processes within an organization, it could also introduce severe security risks.
“A vulnerability that you have in a third-party component is probably the worst vulnerability that you may have. It’s usually reported with a guidebook for the hacker on what to do in order to hack it. At the same time, there’s a problem with the tooling, because it will report that you have a vulnerable component, but that doesn’t necessarily mean that you are vulnerable to it,” Worcel said. “Developers are not happy with a tool that tells them, ‘Hey, you need to replace those 20 components.’”
The SCA tooling can report on whether compromised sections of code can be exploited when they’re put into the application. It can also then coordinate with static application security testing (SAST) or IAST to help security teams and developers get visibility into the data flow at their organizations.