Guest Post: A CIO/CISO Perspective on Agile Security and the Modern DevOps in the Startup Era
Published November 22, 2023.
Traditional product security tools and practices can’t keep up with today's standards of continuous delivery and release velocity in cloud native environments. Shift left-tools are needed, but aren't enough to allow agile security without compromising on velocity. This articles looks at how the modern DevOps function will mitigate these challenges by embracing a unique agile-security approach.
To better understand the role of DevOps in the modern organization today, with regards to running agile security, we must first look at two significant trends:
The first relates to what we call Cloud Transformation and its role in bridging the gap between agile in theory and in practice; the second relates to continuous delivery practices that are now gaining traction, especially in modern software-based organizations such as startups, which are driving the demand for “shift-left” solutions.
How are these trends related? In short, traditional product security tools and practices can’t keep up with today's standards of continuous delivery and release velocity in cloud native environments. Shift left-tools are needed, but aren't enough to allow agile security without compromising on velocity. The modern DevOps function will need to mitigate these challenges by embracing a unique agile-security approach.
This course of action will support the development and deployment velocity of products that are more secure and are less exposed to cyber threats.
Let's take a step back for a moment. DevOps was originally created as the combination of cultural philosophies, practices, and tools that increase an organization’s ability to deliver applications and services at high velocity.
But DevOps dominance and infrastructure-as-code have also created new challenges. Integrating security into the DevOps pipeline is one of them.
Is traditional product security about to break?
with time, it became clear that as DevOps focused on velocity, deployment and other tenets, security often became an afterthought and was commonly neglected. Moreover, traditional security practices and tools didn’t seem to keep up with the pace; it seems that they just don’t fit well into an agile development process.
The result is that, today, the upside of continuous delivery is simultaneously a downside as it can lead to security vulnerabilities.
Will Kapcio, a solutions engineer for HackerOne said in a recent conference: ”83% of chief information security officers (CISOs) see software vulnerabilities as a threat to their organizations, nearly two-thirds of security teams are playing catch-up with the modern software development life cycle (SDLC) and falling behind.”
Houston, we have a problem…
Startups and agile product security challenges
I use the term ‘startup’ because in our organization we have an ‘innovation hubs’ attitude, that some of our new projects are launched, and behave just like a start-up environment
In order to maintain agility without compromising on security, DevOps (or DevSecOps) teams must develop an agile product-security culture in the organization. There’s no other option.
Think of agile DevOps security as the evolution of product security in the startup era: Its goal is to increase the high velocity development of software while reducing costs at the same time, by ensuring a minimal baseline of security. Security needs to be an integral part of all SDLC phases, from design and architecture, development and tests, to release, deployment, maintenance and beyond.
The main challenges that this function will need to tackle are:
- Maintaining an MVS (minimal viable security) under constant product changes. Snyk put it nicely: “Modern agile environments might see multiple production deployments in just a single day.” As legacy technologies have not adapted to today's cloud environment, agile security must use different processes and tools, such as shift left security tools. But that is not enough.
- Helping developers build secure code, but keeping agile standards intact. Shift left, dev-friendly tools support security testing early in the development stage, but there are just too many of them. Orchestrating them manually is a time consuming mission and they create too much noise. Developers are not security experts, so modern DevOps functions must offer a way for developers to build secure products without having it come at the expense of their main mission.
- Establishing a collaborative pipeline. Siloed security and engineering teams are hardly optimal in the startup era. Modern DevOps will need to ensure smooth collaboration between these teams by building optimized processes.
- Changing the mindset of the different teams towards shift left. Many would say that DevSecOps is the evolution of DevOps as it seeks to integrate security and engineering objectives with a shift-left mindset. I would claim that modern DevOps should follow a similar mindset. I would also add that while this may be a very difficult challenge in legacy organizations, startups (or cloud native) organizations could easily embrace a shift-left mindset.
- Knowing how to operate in today’s new era of technological solutions. Applications, designed by DevOps teams, that are meant to harness the potential of the cloud behave differently in production, compared to legacy apps. For instance, new-age apps are more likely to take advantage of serverless technology, containers and microservices. Security teams must familiarize themselves with such tools, ones that would carry with them a whole new lexicon of security components from pod to pod communication, to API gateways and service meshes. In short, new skills are required if you want to leverage new architectures.
Agile security approach - Concrete tips
“Security isn’t about reducing risk to zero. It’s about continuously rebalancing risk as context shifts” - source
- MVS - This is almost counter-intuitive to the traditional ‘maximum security’ approach, but when you think about it, there’s no other way to run product security in an agile environment. The industry is starting to recognize this approach, most notably the MVSP initiative and start-ups like Jit.io that aim to automate the MVS approach.
- Ensure someone in the startup engineering organization is a security stakeholder. It could be a security developer or DevOps manager. Embrace DevSecOps if possible.
- Ensure that the dev team adopts code-level security practices.
- Start with customized security planning.
- Support the automation of security testing and other measures.
- Try to model your CI/CD pipeline and include security in modeling. This will help identify issues so teams know where to best invest in improvements.
- Try to integrate security into the same processes that developers are using for testing so it rides along with developers. The same principles that are used for code testing can be used for security.
- Elevate the team’s expertise to ensure they fit today’s security fundamentals (Kubernetes, Dockers etc).
As we continue to embrace agile development and shift-left tools, it will be crucial for developers to interact with product and cloud security in a seamless and smooth manner. Infrastructure-as-code and security-as-code will give developers and operation teams the ability to manage every part of development continuously.
When security ‘shifts left’ within the product lifecycle and in cloud environments, teams can profoundly impact the security level of the products with much less business friction.
“I strongly believe security must be at the service of the business. When the business screams for modernization, as it does with DevOps, security must follow and support the transformation, not hold it back,” - a quote by Julien Vehent in his book ‘Securing DevOps, Security in the cloud’ (Highly recommended !)