I had the opportunity to speak at FOSSASIA Summit 2019, Asia’s premier developer event, which was held from March 14th to 17th this year in Singapore. This year also marked the 10th year anniversary of the summit, and it was an absolute pleasure to be part of the occasion.
In a room with almost 200 developers, programmers, and technologists, I shared my thoughts on Integrating DevOps and Cybersecurity. Similar to my session topic, this post will explore why integrating DevOps and cybersecurity is a business imperative today.
Why DevOps and Cybersecurity?
To succeed in the growing digital economy, organisations need to transform their operations to accommodate the increased market speed, and implementing a DevOps culture and platform is a great place to start. Organisations also need their teams to be able to respond to business needs swiftly. Bringing together development (Dev) and IT operations (Ops), as well as a platform that enables developers to deploy the code they build, improves business scalability and innovation. It also facilitates greater collaboration, communication and joint responsibility for the success of software delivery.
In recent years, however, the risk landscape has changed drastically. Cyberattacks are rising in frequency, complexity, and impact as attackers take advantage of security risks to infiltrate enterprise infrastructure. As such, more organisations are amending their business priorities to include cybersecurity strategies. According to IDC’s Worldwide Semiannual Security Spending Guide, worldwide spending on security-related hardware, software and services is estimated to reach $103.1 billion in 2019, an increase of 9.4% from 2017.
Given the scale and velocity imposed by processes in today’s threat landscape, organisations can no longer depend on current reactive approaches to cybersecurity. They will need to take a ‘secure by default’ posture, integrating cybersecurity right from the start. To balance technology and risk reduction, organisations must consider a DevSecOps (this hot new buzzword is really just about combining DevOps with cloud-native security principles) strategy due to its proven effectiveness.
Metrics to Measure Your Cloud-Native Security
Successful DevOps strategy comprises of several characteristics which will impact the culture, process, and tooling in an organisation—the same applies for any DevSecOps methodologies that organisations are adopting.
By making security intrinsic across all processes, the DevOps and security teams will need to work even closer than before. However, it’s a challenge for security teams to avoid becoming a bottleneck. Security methods have to keep up as businesses become more agile and want to reduce the time-to-market of new products and features.
To successfully adopt DevSecOps methodologies, organisations will need to create a culture that fosters cross-team collaborations and innovation. As with other new processes, organisations will need to introduce outcomes and metrics that are focused on security to ensure all teams are aligned. These can be:
1. Security Flow: Improve velocity to fix problems faster
-
Time to Patch Servers
-
Time to Detect / Time to Exploit
-
Release Efficiency (time spent on coding vs testing)
-
Accuracy of Test Suites (number of False Positives / False Negatives)
2. Resilience: Improve your capacity to respond and recover
-
Mean Time to Recovery
-
Time Since Last Rebuild
3. Risk Reduction: Reduce the risk that matters at the source
-
Percentage of Code Covered by Tests (TDD)
-
Time Since Last Patch
-
Time Since Last Rotation of Certificates / Passwords
-
Number of Threat Scenarios / Abuser Cases identified and tested
-
Number of Human Modifications in Production
Security Cannot be an Afterthought
By starting security in an outcome-driven manner, organisations can determine the metrics they would like to improve. This will in turn impact how organisations plan out their processes. Some questions your team might want to ask include do we need more automation? Do we need more upfront testing? Are we trying to improve compliance?
Without clearly-defined outcomes and metrics, results achieved by the teams can become subjective and teams may be misaligned on the goals that they should be collectively working towards. And the safety of a business and its customer data cannot afford to be needlessly unclear or at-risk.
Culture plays a vital role in helping organisations successfully adopt DevSecOps methodologies and becoming Agile. As with DevOps, whereby developers and operations work closely together, security should not be siloed too—it should be everyone’s responsibility. Having a common, collaborative joint mindset across teams will break down any barriers and support the agility that their core business and the modern threat environment demand.
Want to hear about some real-world examples of modern security? Watch a replay of this conversation that discusses application development code security in pre-production as well as runtime security at scale.