igor - Fotolia

Firms need to move from DevOps to DevSecOps, says expert

In the face of competition, organisations are turning to DevOps to improve efficiency and accelerate innovation, but this is creating new security risks, an industry expert warns

DevOps delivers proven benefits in terms of business agility, but it can also create new security risks and revive old ones, according to a DevOps specialist.

Risk is the result of organisations failing to train or develop staff adequately to implement best practice in security, said Elizabeth Lawler, vice-president of DevOps security at CyberArk.

“This failure leaves organisations vulnerable to both internal and external threats,” she told Computer Weekly.

At a time when managing their security portfolio effectively is crucial, said Lawler, many organisations are unwittingly introducing vulnerabilities in pursuit of rapid innovation.

In view of the data breach at Uber and other high-profile organisations that came to light in 2017, there are three DevOps security trends that should be on the radar of every organisation, she said.

1. The Uber breach was just the beginning

The Uber breach was an example of how the personal data of 57 million customers can be exposed because developers used a workaround to manage credentials in a software repository, said Lawler.

“This gave hackers access to their privileged accounts,” she said. “Those developers aren’t alone, and this is a peek behind the curtain of a common practice among developers. There is no obvious way to collaborate securely across tools.”

Organisations generally fail to make security easy for DevOps practitioners, said Lawler, and that creates opportunity for failure. “By their very nature, developers aren’t security practitioners,” she added. “They are responsible for features and functionality, not figuring out how to manage credential collaboration and security for those key assets.”

This leaves a gap in an organisation’s risk assessments, which is underlined by CyberArk research that found most organisations could not identify all the places where credentials were stored.

The research report found that 73% of organisations had no strategy at all to address privileged account security for DevOps. “This is quite alarming,” said Lawler. “There is an obvious failure in the developer user experience, which means we will continue to see breaches similar to Uber’s in 2018 and beyond.

“Companies ask developers to manage security assets when it is beyond their core job function and they have little experience in doing so. The future will be in automation for making security more seamless, and that means making security part of developers’ native experience.”

According to Lawler, new research suggests Uber might not be alone in trying to hide the breach from its customers. “Our research found that 50% of organisations did not fully inform customers when their personal data was compromised in a cyber attack,” she said. “Alarming, yes; surprising, maybe not so much.”

2. DevOps security is a full-time job

Organisations are turning to DevOps workflows to achieve transformative velocity and innovation, but Lawler said they are not prepared or staffed to manage the security of these environments.

“We will see a critical talent gap of DevSecOps practitioners as business leaders increasingly prioritise cyber security,” she said. “Many organisations simply task the same DevOps practitioners – often with no security experience – to protect these environments, in addition to the numerous other responsibilities they have to deliver. But that is no longer sufficient, especially considering the increasing threat surface in DevOps workflows and the associated risks in managing the scripts, platforms and systems used in automated workflows.”

DevSecOps practitioners are in high demand, and Lawler predicted that they will be even more difficult to find in 2018 as organisations realise they have the right tools but not necessarily the right people to manage them. “Security will become a full-time job focused on DevOps workflows, and there will be few practitioners to fill that role available in the market,” she said.

3. Least privilege in DevOps will get a facelift

Organisations are starting to understand that “identity” has not been addressed in the full enterprise stack, said Lawler, because there is no common standard for machine identity, access control and management, or audit across a multiplicity of platform components.

“Organisations are only as safe as their weakest link,” she said. “The weak link could be a VM [virtual machine], container or any of the dozens of platform layers that now exist across the network. As these matrixes expand, they become substantially harder to control.”

According to Lawler, there needs to be a stronger definition of machine identity in highly automated systems that carry increasingly sensitive data. “Soon, we will start to see a meaningful application of the concepts formerly used in human access management applied to machines,” she said.

By forcing the DevOps team to consider who or what is asking for access to what, Lawler believes organisations can follow security best practices and limit what machines are doing, without compromising operations.

Read more about DevSecOps

“This will enable true accountability for the security posture of DevOps environments,” she said. “The process of continuous delivery of least privilege in DevSecOps can finally become a reality.”

Lawler added that ultimately, it is important to understand that DevOps practitioners do not have a full picture view of security.

According to Lawler, DevOps teams mainly think about software vulnerability and patch management as the “scope of their security function”, which is evidenced by the fact that most use security tools such as Terraform and Ansible.

“But these tools are only looking at patches and vulnerabilities, not access control and privilege associated with their access to tier zero assets,” she said. “Secrets management is simply not on their radar.”

DevOps failed to prevent the Uber breach because, said Lawler, the “security tool” that was ultimately compromised was the source of the breach. “The rest of the toolchain has the same problem,” she added. “Think about it – I phish one DevOps tool, and I own your systems.”

Lawler said it is time to either bring in the security teams to help secure organisations’ toolchain or to start thinking like an attacker. “This means that IT, DevOps and security teams must come together to better understand the immediate threat from hackers, future trends and the gaps in their security policies,” she said. “Only then can they build a strategy to effectively protect themselves against threats.”

Read more on Hackers and cybercrime prevention