JupiterOne CEO Erkang Zheng attended last weeks DevSecCon in Seattle, highlighting what it takes for security teams to keep up with the speed of DevOps.
Here is a quick summary of what is covered in this blog post:
- How do you keep a simple, open, collaborative, enabling and rewarding security culture
- Details into using data, code and graph (not lists) to build a digital knowledge base of your environment
- How to use querying to gain insights, provide assurance and collect compliance evidence continuously
- Why you should automate security gates and approvals in code deployment pipeline
Security as an Organizational Challenge
As development teams gravitate towards DevOps, security teams face the very real challenge of keeping up. Coupling the cloud with this Continuous Integration/Continuous Delivery (CI/CD) mindset means change is the only constant.
DevSecOps is the notion that security teams can adopt the same move fast and automate everything you can approach, with confidence. Like DevOps, this is a cultural change within the organization.
If CI/CD is the key result of DevOps, CA/CC is the security equivalent; that is, Continuous Assurance / Continuous Compliance. A DevSecOps culture means prioritizing security is everyone's job, but your security team needs to be able to measure whether or not your company is being successful. What does DevSecOps look like in practice?
- Security becomes an enabler for DevOps by automating security checks, gates and approvals in the DevOps CI/CD pipeline
- Development becomes an enabler for Security by 1) aggregating data from source to gain visibility and insight, 2) automating security operations and manage artifacts with code and 3) achieving provable security with CA/CC.
Visibility, governance and assurance are critical for enabling DevSecOps.
Security is a Data Challenge
As you assess your own digital environments, from the tools and services needed to maintain your DevOps pipeline to the infrastructure being leveraged, plus the users, devices and endpoints, you begin to see that creating a culture of DevSecOps is only part of the challenge.
Putting DevSecOps into practice requires having a constant handle on the changes and data across your environments, as well as the relationships in the data. This is where the checklist, snapshot-in –time oriented approach to security falls well short.
Lists fail to provide insight or context into would-be problems, draining valuable time from your security team as they chase down potential problems only to uncover false positives. Meanwhile, they are missing out on the changes that just occurred that result in critical vulnerabilities.
The manage such complexity, organizations need to turn from lists and individual items to relationships and graphs, which provide the context that fuels quicker understanding and drives specific action.
Configure Queries for Evidence and Remediation Triggers
Organizations can use this relationship-oriented context to reshape how they think about rules and alerts. Instead of false positives that creep in as a result of a siloed status evaluation, use the details unearthed by querying a graph for specific relationship statuses to create more intelligent rules.
The net result is faster remediation on vulnerabilities as well as a complete comprehension around the scope of a risk. Prioritization and time management just got a lot easier for an always stretched security team.
Security artifacts as code
The final step required for a security team to move at the speed of DevOps is to connect the resources and relationships you are storing in the graph directly to the security policies and procedures you wish to enforce.
Whether it is a compliance or security framework requirement or a basic best practice, implementing a security as code approach is the only way to keep up with the constant changes across your environment.
The relationships are critical, but analyzing those relationships individual to ensure compliance or collect evidence would take weeks or months. It's unrealistic. Instead, you need to take your already assembled security policies and procedures and align them on the graph with your actual resources.
What Moving at the Speed of DevOps via DevSecOps Enables
DevSecOps fosters numerous positive outcrops.
- Security becomes everyones concerns, especially during the development process
- Visibility across your environment and the subsequent changes finally becomes feasible
- Automating the tedious facets of security to allow for more analysis becomes easy
But most of all, DevSecOps enables Continuous Assurance and Continuous Compliance (CA/CC). It's provable security that allows you to sleep at night in confidence of your own ability to detect and eliminate threats in your environment. Even when situations like Capital One occur.
