Challenges with DevOps
Enterprises that have moved to a DevOps environment face major challenges. They have multiple code bases that need to be supported and hundreds of builds happening on a weekly basis. Security teams have to provide the sign-offs in all phases of the SDLC life cycle, from approvals of initial design to doing code review, to security and compliance testing prior to deployment in their production environment.
Unfortunately, over 50% of the roles in security remain unfulfilled due to a lack of cybersecurity professionals with the relevant skills in the marketplace. Developers outnumber security teams by a factor of 100:1, which compounds the problem as security teams do not have the bandwidth to support the development teams. The end result is a slowdown in the DevOps pipeline and both teams begin to blame each other for the slowdowns. Unfortunately, accelerated innovation at the cost of lagging security comes at a huge cost to business in terms of data breaches.
Left shifting is moving developers to the frontlines of security. Making developers responsible for writing secure code can reduce the load on overworked security teams. But are your software developers trained to write secure code?
Developer Secure Coding Training Is Now Table Stakes
Developers lack opportunities to learn about secure coding, either in their education programs or on the job. Even the Top 10 computer science courses in the US do not have a semester dedicated to teaching secure coding.
Traditional security training with boring videos and outdated content do little beyond ensuring check-box compliance. Providing cookie-cutter training materials can build situational awareness but does little to hone the skills needed to write secure code. Spaced learning using byte-sized content delivered at regular intervals contributes to retention and knowledge.
It should come as no surprise that the Verizon Data Breach report 2020 highlights that over 20% of the data breaches are due to insecure code
Secure coding training done right can help developers to build a hacker’s mindset and understand the importance of writing secure code. Exposing them to hands-on training on vulnerabilities like the OWASP Top 10 can raise your AppSec bar and reduce the remediation workload on overworked security teams.
Development managers should pivot their development teams to a Security-by-Design culture. Organizing periodic hackathons or Capture-the-Flag (CTF) events can go a long way to build a security mindset in the organization. In today’s remote development teams, it is also a great way to boost engagement and retention.
Making the Transition to Frictionless DevOps
Development and security teams tend to operate in silos due to the nature of their roles and responsibilities. Developers have responsibility for writing good quality code and security is an important aspect of quality code.
Secure code training is thus an essential first step for effectiveness. However, developer incentives also need to change from getting functional code out as quickly as possible to delivering secure code as measured by the number of critical defects in each sprint cycle.Security teams need to shift the focus from code remediation work to building the guard rails of the security program. These include:
- Security tooling
- Patch automation
- Configuring the security tools for various development stacks
- Playing the mentoring role of security champions for development teams
They should conduct threat modeling and work with the development team to improve the security of the product. Security templates for different languages can help in building a common security baseline for developers.
Security teams must also periodically review the results of Pretests or Red Teaming engagements with development teams. Highlight the vulnerabilities that are the result of coding errors and organize just in time training session around it.
In summary, security has to become a shared responsibility between the development and security teams.