Many organizations realize their DevOps tools and practices do not sufficiently account for security. The most forward-thinking teams want to take a “shift-left” approach to their security practices, engaging security practices and testing as early as possible in the software development life cycle This is known as “security as code”.
What is “security as code”?
“Security as code” is the constant implementation of systematic and widely communicated security practices throughout the entire software development life cycle. The goal of this strategy is to streamline the rollout of new software and avoid last-minute vulnerability fixes — or worse, releasing vulnerable software to real users.
At Perform 2021, Rick Stewart, chief software technologist at DLT Solutions, and Willie Hicks, Federal CTO at Dynatrace, explained how the only way to build this culture is for organizations to adopt proactive DevSecOps practices.
The security challenges of DevOps
The purpose and intent of DevSecOps is to build an organizational culture in which everyone is responsible for security with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.
While DevOps processes streamline the software development life cycle and improve time to value for developers and stability for operations, they often bypass security risks.
But an ad-hoc approach to security won’t work with DevOps—it requires coordination and planning. Stewart pointed out a few points organizations should keep in mind as they start integrating security into their DevOps practices:
- Efficiency: Organizations need to reduce costs and manage their resources efficiently. What they don’t need is a big, expensive security overhaul that could spend them out of business.
- Simple and effective collaboration: Teams and departments need to work together to achieve their organization’s goal of achieving DevOps securely.
- Vulnerability management: With more and more services exposed via software, organizations need a way to effectively scan all of the components that make up those services for vulnerabilities.
- Speed: Users won’t give organizations a pass on slow performance just because they’re trying to enhance security. Users in both the private and public sectors are accustomed to immediate services.
DevSecOps taking hold
“To meet those challenges,” Stewart explained, “a holistic approach is required that combines cultural transformation between people, processes, and technology. You need the right people with the requisite skills to use great technology in an efficient process that produces software quickly and securely to meet the organization’s needs.”
DevSecOps delivers this coordination by bringing security and DevOps together to speed up delivery to users with security integrated at every step.
Even so, there are still a few obstacles in the way. In 2016, Gartner revealed that fewer than 20% of enterprise security architects were incorporating infosec into their employer’s DevOps initiatives in a systematic way, the very definition of security as code. In another study that same year, 77% of security professionals told the global research and advisory firm that information security policies and teams are slowing down IT in their organization.
The impact of these statistics is manifold, Stewart explained. First, this uncoordinated approach to application security hinders an organization’s ability to react to market conditions at the speed with which users and citizens expect to be served. This is a problem for private businesses, as they could be outpaced by competitors. But it’s also an issue for public entities, as a loss of public trust could prevent them from fulfilling their missions.
Second, this uncoordinated approach forces security to stand on the proverbial goal line in a reactive position, where it must address threats that could have been caught earlier or prevented altogether. This requires lots of rework that doesn’t just cause a loss of morale for teams trying to deliver services; it also brings a negative impact on schedules and budgets.
How Dynatrace honors security as a first-class citizen
In light of these challenges, organizations need to embrace a security-as-code culture and implement security as early as possible in the development process.
Willie Hicks discussed how Dynatrace Application Security helps organizations adopt a security-as-code approach.
“The first thing to consider is automation,” Hicks said. “We want to automate everything.” The more manual processes are involved, he explained, the more opportunity there is to slow down the pipeline and introduce errors. “Everything needs to be event-driven. Actions and their responses need to be immediate.” Automating processes helps to minimize blind spots and security oversights within massive — and ever-growing — amounts of data.
According to Hicks, Dynatrace brings additional value by enabling developers to stay focused. “We want to prevent context switching for our developers,” he explained. “We don’t want a developer to have to draw up a task to go back and fix a problem that’s slowing down a deployment days or weeks later.” This optimizes productivity and curbs time wasted waiting to repair an issue or vulnerability, which avoids interrupting the developers’ workflow, losing time, and negatively impacting budgets and productivity.
Once organizations streamline the remediation of security issues by flagging, prioritizing, and routing them in real time, developers will no longer have to break focus jumping from one task to another, trying to recall the reasoning behind a programming decision they made days or weeks ago.
“With Dynatrace, we do this automatically,” Hicks noted. “And this is key for developers and for security professionals alike — especially in large, complex environments like your Kubernetes-type environments where you might have hundreds or even thousands of microservices running.”
Security as code in practice
Hicks then demonstrated how a proactive DevSecOps stance works in practice by presenting Dynatrace with a typical DevOps toolchain.
- The Dynatrace platform, which has end-to-end visibility of the full software stack, comes with APIs that allow it to automatically configure test events, such as user load and load testing, and start and stop those tests.
- Dynatrace then gathers intelligence from those tests and reports it to testing tools, such as JMeter or NeoLoad, along with a risk register, which allows security personnel to understand the risk and coordinate their resources to mitigate vulnerabilities.
- All this automatically takes place early in and throughout the development life cycle, thereby giving security personnel the time necessary to ask the right questions and understand how best to respond.
This integrated process saves organizations time and money by enabling them to take care of security issues and ultimately deliver a final product more quickly.
Dynatrace doesn’t stop there. It also facilitates the automated deployment of code, pulls problem details and feeds them into risk registers and other destinations, to remediate problems and other security events. This continuous cycle of observability and automation complements the continuous DevOps feedback loop necessary for building today’s high-performance software.