DevOps is becoming a major force across software development. For various reasons, security can be sidelined until far later in the development process – but there’s also a movement that is putting security rightly where it belongs – at the beginning.
That’s the essence of DevSecOps, which maintains that security by design should be central to any strategy.
Elizabeth Lawler is CyberArk’s vice president of DevOps Security. She was the former CEO of Conjur - a DevOps security startup - before CyberArk acquired the company. She says the two companies made a powerful combination that drew CyberArk closer towards the DevOps space.
Traditionally development and IT teams have been siloed from the rest of an organisation, which led to a multitude of challenges. But the tide is now turning to a more unified approach.
“I think the DevOps train is unstoppable right now. A lot of organisations are thinking about how they can move fast, and deliver value to their customers faster through software delivery,” Lawler says.
Australia is one country that is adopting DevOps, but there is still work to be done. Eighty-two percent of companies don’t have a privileged account security strategy in place for DevOps, according to CyberArk’s Global Advanced Threat Landscape Survey.
“We work with managing privilege in DevOps environments. You do see developers or DevOps people that understand the principles of good security.”
Enter DevSecOps and the mantra of ‘security by design’. How does that work from a practical perspective like designing an application or a platform that delivers applications?
“We don’t see security getting involved early enough in the process – there’s residue from leftover siloes.”
Does there need to be more awareness across an entire company - from the developers who build integrations to the budgeting team and CEOs who may allocate limited funding?
“It should be coming from the senior levels and even down to the board and management to say DevOps and security teams need to start working together at the earliest possible moment.”
She believes that any board member who deals with governance, cybersecurity or oversight, they should be asking management to present these types of issues.
Lawler also says breaking down communication barriers and removing the historical biases of leaving security later in the process are important ways of giving DevSecOps more prominence. This will help teams deliver projects faster.
“I often talk about ways of achieving this goal. It’s more about pushing down the KPIs and metrics of success, and delivery of security that are visible to DevOps and security teams so that they’re both responsible for it."
“DevOps teams love to run on metrics. If it’s a language and construct they can work in, and then having security teams as part owners of that can allow you to break down organisational barriers.”
“We call it secure by design, but it’s really secure innovation by the numbers. You want to see the whole process, which is also a learning process. It’s one thing to say, ‘I’ve secured this platform’, but there are different tools coming in. It’s an entire process problem where we see breakdowns.”
When teams don’t integrate properly, that’s when security problems – and even breaches can happen. Take, for example, the case of when Tesla’s Kubernetes platform was used for cryptomining.
“Someone got into the Kubernetes administrative console, probably by phishing Kubernetes admins. They got on the console and launched a bunch of IT resources to mine cryptocurrency."
“But things like that hit everybody and it happens multiple times a day to all kinds of organisations. Anyone who accidentally uploads an Amazon credential to GitHub – in five minutes a bot will max out your Amazon account and start cryptocurrency mining.”
She says in these cases teams haven’t stepped back and figured out how they want to design a process. Instead, they have pieced something together at the end.
“Kubernetes, configuration management, and orchestration tools are powerful system administrators. They need to be managed or overseen the same as with any person who had that kind of power. That hasn’t made its way into the workflow of DevOps but there’s an awareness that these are real points of risk and liability. They need to be better managed."
“The thing organisations can’t do is compromise ability to deliver by applying security policies. What companies like CyberArk are doing is to apply security without interrupting workflow.”
CyberArk focuses on privileged access management as a holistic process of managing powerful users or powerful systems that are working inside IT and DevOps environments.
“We counteract an exploding threat surface through our Cyber Hygiene program,” she says.
The program gives organisations a 30-day sprint to clean up the most common privileged access security issues coming from the development or DevOps teams.
CyberArk also helps organisations identify administrators who access DevOps consoles. The company then helps customers come up with ways to code applications in areas such as least privilege or separation of duties in the pipeline.
“If you improve application design by one percent per day every day rather than trying to deal with a pile of problems at the end, you’ll be in a much better position if something happens to go awry - and you’ll have a much smaller threat surface,” Lawler concludes.