SolisImages - stock.adobe.com
DevSecOps deals with ever-changing cloud-native tech, but its fundamental challenges remain the same as a new year approaches. What's different now is the unprecedented level of urgency and scrutiny the discipline now draws.
DevSecOps has been a hot topic in Agile and DevOps circles for at least three years, but enterprises have yet to catch up with attackers' techniques, let alone begin to proactively prevent breaches. COVID-19 has complicated SecOps issues, and IT pros in highly-regulated industries also struggle to align DevSecOps tools with broader IT governance and business risk management systems.
These trends have only worsened despite growing awareness and attempts to reverse them. For years, enterprise spending on IT security has grown rapidly, but so have the number of attacks and breaches. Cybersecurity spending slowed this year as a result of the COVID-19 pandemic, according to Gartner. But it is still expected to reach $123.8 billion by the end of 2020, an increase of 2.4% over 2019. Still, during the first half of 2020 alone, security threat hunting service CrowdStrike detected 41,000 potential intrusions, compared to the 35,000 it recorded for all of 2019.
Now, DevSecOps is receiving new attention -- and with it, pressure from corporate executives, according to a panel of speakers on a recent webinar called "Cyber Risk & The C-Suite: CFO, CIO, and Academic Perspectives."
"For the first time in my career, our board and ownership of our company has taken a more aggressive, almost agitated [stance] on cybersecurity," said Donald Rowley, CIO at ATX Networks Corp., an internet equipment manufacturer based in Ontario, during the webinar. "In the past, it's been common for us to need to push security upwards … [but now] it's being driven from the top."
Company leaders are performing their own cybersecurity analysis on ATX and other companies in their portfolio and hired an outside consulting firm to assess the company's security posture, Rowley said. This will have major ramifications for his team's IT operating plan for 2021 and beyond, he said, though the specifics remained unknown at the time of the webinar.
"You think you're prepared for that moment when the board takes interest," Rowley said. "But I'm not going to lie, there's a little moment of panic of, 'Have we really laid it out accurately for a new set of eyes to focus on?'"
Tech change still vastly outpaces org change
Meanwhile, IT pros are still unsure how legacy enterprises will keep up with the dizzying pace of change in cloud-native tech, even with increased executive support.
Old methods of employee training and education won't work in this era any more than outdated IT security tools, said Michael Lieberman, senior innovation engineer at Mitsubishi UFJ Financial Group (MUFG), a bank based in Tokyo.
Michael LiebermanSenior innovation engineer, Mitsubishi UFJ Financial Group
"Because things are moving so fast, it's really about getting the right sorts of engineers, who are willing to constantly be learning about new tools and technologies," he said. "If you train on one thing today, tomorrow there'll be 12 more things that came out for it that you need to understand."
Among software developers, however, interest in furthering security knowledge is low. The Linux Foundation's 2020 FOSS Contributor Survey found that respondents spend only about 2% of their contribution time responding to security issues, and don't plan to increase that commitment.
But with increasing enterprise use of open source software has come consensus that upstream collaboration will advance DevSecOps more quickly than forcing developers to be security experts. The Linux Foundation FOSS survey report suggests, among other measures, community-funded security audits for codebases that produce specific, mergeable changes.
Enterprise open source experts also hope to see tools emerge upstream for manifest-based container security.
There are forensic tools available from vendors such as Synopsys that scan container images to reveal their contents, but the ideal would be a built-in way for software developers to list -- and ideally, digitally sign -- what's included in a container image, according to Kevin Fleming, who oversees research and development teams in the office of the CTO at Bloomberg, a global finance, media and tech company based in New York.
"While it's nice to have a scanning-based workflow, it's much nicer to have the provider of the image tell you what's in the image in some way that you can validate," Fleming said. "That's going to have to be a big area [of focus] next year."
Elsewhere, the open source community has opportunities to fill gaps in software supply chain security in the wake of this year's SolarWinds attack, and in IT governance systems integration with DevSecOps tools through projects such as OSCAL.
DevSecOps vs human nature
While DevSecOps in 2021 and beyond will require new tools, the most common cyber attacks are relatively unsophisticated, and don't directly target a company's IT systems or staff, which presents an even more vexing set of challenges.
Donald RowleyCIO, ATX Networks Corp
"Despite all the other things that we do … from a risk standpoint, people still tend to be the biggest factor," Rowley said in the webinar.
"We've actually seen an increase this year in near-responses or near-bites, if you will, on phishing attacks," Rowley said. "We've actually cut a couple of those off that were 70, 80, 90% of the way down the path -- there's clearly a need for additional education in our workforce, and that's … part of our operational plan for 2021."
As corporate upper management increases its cybersecurity focus, employees both inside and outside IT can expect stiffer consequences if they fall for phishing or social engineering ploys, said Jeremy Pullen, director of platform engineering at Vecima Networks, a broadband network equipment maker based in Saskatchewan.
"Companies that I've interacted with that have had a relatively successful approach to preventing social engineering make people afraid enough of the repercussions to keep them on the alert," said Pullen, who also works as a DevSecOps consultant as CEO of Polodis in Atlanta. "That fear is going to drive them into different behaviors, but then you may have a company culture that nobody wants to be a part of in the process."
Other security-conscious companies such as Omada Health have implemented chaos engineering tools as a gentler -- but still effective -- way to train employees to resist phishing attempts.
"We're certainly better at training people now than we were five or 10 years ago, when we thought of security training as a class -- go sit in a room or watch a webinar," said William Dougherty, CISO at the San Francisco-based healthcare provider. "Everybody hates that, and it doesn't work, especially when people are remote and have a webinar open but also have Netflix up in another window and they're just clicking 'next' every 30 seconds."
Instead, Omada attempts to phish its own employees on a monthly basis. If employees click on links in these faux-phishing emails, they get instant feedback and enrollment in a 5 to 15-minute refresher training class.
"Those kinds of training systems are making things better," Dougherty said. "But this ultimately comes down to how many layers of security you have."
In some ways, though technology changes, managing security risks is a practice as old and fundamental as human nature itself, he said.
"The truth is that if you have something valuable to protect, there will always be someone who wants to take it," Dougherty said. "You will always come up with new ways to protect it better, or increase the cost of stealing it, and they will come up with new ways to steal it."