Thinking Security First: How to Lower Cost and Mitigate Risk with DevSecOps
Success today is about more than just delivering a product. In a world inundated with threats, securing our products and networks is paramount. As a result, DevSecOps plays an ever-expanding role in the digital economy.
This topic was at the forefront of Rural Sourcing’s 2019 Cloud Summit in Albuquerque. In a discussion led by Rural Sourcing VP of Innovation & Sales Engineering Derek Perry, a panel of experts shared insights on how product-centric organizations are positioned in today’s marketplace and how DevSecOps can shape their security practices.
“DevOps can best be described as a pipeline to package and ship production-ready code to the world,” said Kris Wall, principal consultant, Rural Sourcing. “Often times, security is an afterthought, and now security has been finally integrated into the DevOps lifecycle by building in security checkpoints throughout the lifecycle. Most importantly, this has shifted the industry’s attention towards secure coding and testing services, a shift that should have occurred a long time ago.”
For Brian Self, solutions architect at WhiteHat Security, putting DevSecOps at the front of the plan is critical. He notes data from a Ponemon Institute study conducted with National Institute of Standards and Technology (NIST) demonstrating that the average cost to repair a defect in production is 100x more expensive than if it had been caught and fixed during development. The takeaway—the earlier a vulnerability is found the cheaper it is to remediate.
“DevSecOps has required a far tighter and closer integration of security into all stages of the software development lifecycle (SDLC),” said Self. “This close and early integration of security is a very different approach and a change for many organizations. Traditionally security has been bolted on at the end of the SDLC, if at all. The sooner we integrate security, the better. It lowers cost of remediation and significantly lowers the risk/threat profile.”
Bill Rose, who leads Rural Sourcing’s Fort Wayne Development Center and previously served as Head of IT and interim CIO for MGM Resorts International, says it’s an imperative to pull security forward into the design and development process. At deployment, it may be too late.
“In today’s high threat/high risk environment, security can’t be an afterthought, it should be closer to a first thought,” said Rose. “My advice would be to avoid over-analyzing and resist seeking the full answer first. Dive in, utilize the principles and spirit of continuous improvement, and build toward the right process for your organization.”
“DevSecOps isn’t a destination,” said Wall. “You can’t add a new process and call it done. The security landscape is constantly changing, and the DevOps pipeline must continue to evolve with new threats as they’re uncovered.”