BLACK HAT 23, LAS VEGAS — During his keynote at the Black Hat security conference last Wednesday, Dino Dai Zovi, Staff Security Engineer at Square, challenged the audience to fully immerse themselves in DevOps in order to support today's pace of web- and cloud-based business.
In a sense, security groups have always needed to keep a hand in securely supporting web development, he said. For example, Dino started his career finding and publishing browser and root exploits. All the while, he was also developing APIs and scripts to automatically repair these vulnerabilities and deploy patches across multiple systems.
"Then I went to work for Square in 2014. At Square, security engineers had to write code like other departments," he explained.
Square, an agile company that supports small merchant sales transactions, has an embedded culture of security across all business units, Dino continued. IT security teams are tasked with building security into all development stages in order to prove security as a transformative change agent.
According to SANS' most recent survey on Secure DevOps, 46 percent of organizations are continuously deploying at least some apps directly into production. Only 56 percent are deploying security at the inception of their development projects.
"A lot of security professionals are scared to support new development because it could open the company to vulnerabilities. This is impractical and can lead to a culture of paralysis," Dino said during his keynote.
To embed security in DevOps, security teams need to start with "yes," he continued, and they should fully understand their business and customer needs before deploying any new process. Security pros should also set up automated feedback loops for improved communication with development teams, he added.
With today's fragmented technology options, getting there may take a while.
Many vendors at Black Hat claimed to automate some or all of their DevSecOps process. At the show, I met with representatives from Virtru, which works with DevOps around data protection and crypto management, and Lacework, which can scan containers and open source components for threats before development and deployment. Other vendors focus on workload management (ticketing, etc.), while still others automate various flavors of the testing processes.
Our SANS survey identified that the top success factor in supporting DevOps is integrating and automating security testing into developer and engineering toolchains and build/deploy workflows. The second-most important success factor was developing security champions in development teams.
The survey ultimately revealed that those who integrated security and testing with the common core DevOps practices (automated builds, testing, configuration management and immutable infrastructure provisioning) also reported more automation for build and deployment stages. These results show that security can go hand in hand with each of these DevOps stages.