After a brutal year of cybersecurity attacks, IT professionals have become adamant about limiting their exposure to vulnerabilities in third-party software. The question is “How do you do reduce that risk?” That’s where formally adopting a philosophy called DevSecOps comes in.
DevSecOps is a strategic approach that seeks to eliminate silos between software, security, and operations teams.
When a separate cybersecurity team works outside the boundaries of the mainstream software development cycle, it’s easier for security to become an afterthought. While mandating DevSecOps adoption may not directly boost the bottom line, it does have the power to give your company a competitive advantage by positioning your enterprise as a more reliable and trusted partner than the competition.
Security is Everyone’s Responsibility
Formal adoption of a DevSecOps philosophy ensures your company is perceived as one that views cybersecurity as a shared enterprise responsibility. It helps both internal and external customers understand that if they choose to work with you, they can be assured that security will be incorporated at the inception of the software development cycle where there is the best opportunity to implement zero-trust protections.
While DevSecOps isn’t exactly new, the concept has been slow to take off in part because of organizational and cultural challenges. In most companies, the product and cybersecurity teams are separate, often with competing agendas. The product team designs product without regard to security policies, while the security group promotes policies without the same concern for new functionality or time-to-market urgency. The friction puts the two groups at odds instead of fostering a partnership that bakes security into the product development stage, closing back-door access that attackers can exploit.
Organizations using cloud services are even more susceptible to malicious code that can be used to carry out a ransomware attack. In addition to organizational hurdles, the increasing use of open-source code has made some companies even more vulnerable to ransomware exploits and other cybersecurity risks. To add to the confusion, there is a misperception that security is the responsibility of the cloud provider when in reality, it’s a shared responsibility between the provider and the customer.
Reorienting Your Culture
There are a number of things to consider as you reorient culture and embrace a DevSecOps model. Here are just a few:
1. Make security everyone’s responsibility. The DevSecOps team should serve as a bridge between cybersecurity and product developers and report up to the Chief Technology Officer (CTO) or Chief Product Officer (CPO). The team should be a partnership composed of employees and perhaps even third-party vendors who have the application knowledge, technical skills, and development expertise to address product requirements and review software source code. Consider using some of your formerly dedicated security team members to ensure best practices are being followed.
2. Embrace automation and monitoring. Invest in the resources, skills, and specialized tools to automate as much of the development and testing process as possible. Automating code scanning and critical segments of the continuous integration/continuous delivery (CI/CD) process will ensure consistency while reducing the possibility of human error. DevSecOps practices should include the creation of feedback loops that will allow you to quickly reverse engineer a security vulnerability to learn how it was introduced into code and what its purpose is.
3. Invest in training and awareness. Promote the importance of following cybersecurity best practices by building an enterprise culture where security is prioritized and viewed as a corporate asset instead of an afterthought or burden. Offer corporatewide-training sessions on a regular basis and communicate regularly to boost security awareness. Don’t forget to sign up executive sponsors who can underscore cybersecurity’s connection to the overall health and success of the company.
4. Standardize tools and processes. Formalize a standard IDE and set of automated scanning and monitoring tools to ensure code is consistently monitored for problems and potential blind spots are identified and closed as quickly as possible. With COVID-19 work-from-home mandates, developers may be tempted to work outside their approved integrated development environment (IDE) and make changes from personal laptops or cell phones. Don’t let them.
It’s no surprise that it’s becoming increasingly important for businesses to align themselves with software vendors who follow proven and auditable cybersecurity best practices. Did you know, for example, that Symantec’s threat intelligence report on “The Ransomware Threat” found that targeted ransomware attacks have risen 83% in the last 18 months? Even more alarming is the fact that a small number of prolific threat actors, including Ryuk and Sodinokibi, are responsible for the escalations. Whether you are a software vendor or a software consumer, consider making DevSecOps adoption a priority to reduce the risk of your becoming just one more ransomware statistic.