Developers, and the software they develop, are the most popular attack vector for today’s hackers and bad actors. The many development tools and processes, not to mention thousands of open source libraries and binaries, all introduce opportunities for malicious or even accidental injection of risk across the entire software supply chain. In response to this expanding threat landscape, developers, security leaders, and operations teams are struggling to find a more effective way to secure their software ecosystem.
Increasingly, organizations are adopting DevSecOps, which focuses on “shift left” security, the idea of introducing security practices earlier in the software development life cycle. Practically speaking, however, DevSecOps is more of an overall strategy or approach, rather than a concrete set of responsibilities assigned to a specific group or individual. DevSecOps is best used to define how an organization addresses product security, or establish a cultural and technical shift left within the integrated development environment. It can also provide an organizational framework to address security efforts between compliance, security and development teams.
The reality, however, is that while both security and development teams are committed to fortifying the business, collaboration between the two groups can be challenging. A company’s security teams are tasked to do whatever it takes to secure the business, while developers prefer to write quality code instead of spending their day fixing vulnerabilities.
It is the DevOps team that in fact owns the specific responsibilities, tasks and budget needed to secure the software supply chain.
Defining DevOps-Centric security
As the name implies, DevOps teams manage the operational side of software development and are responsible for each step of the software development life cycle (SDLC). While security teams set policies and development teams write code, DevOps teams manage the SDLC workflow. They are the actual owners of the software supply chain.
DevOps teams are also the logical owners for software supply chain security. DevOps teams have the resources, skills and accountability to identify and address security issues across the entire DevOps workflow, from development to runtime to deployment. DevOps teams are involved in every step of the software development process, so they’re ideally suited to serve as a bridge between security teams, responsible for compliance and business requirements, and development teams, which can get overwhelmed with security requests, processes and regulations that are not their core competency.
DevOps-centric security delivers an end-to-end view of an organization’s software supply chain and flags a multitude of vulnerabilities and weaknesses such as CVEs, configuration issues, secrets exposure, and infrastructure-as-code violations. It also suggests remediation strategies at each stage of the software development life cycle, from code to container, to device.
How does DevOps-Centric security work?
A DevOps-centric approach to security builds on the rigorous process and continuous, automated testing that’s the hallmark of all DevOps teams. More importantly, it guides organizations with a clear understanding of each vulnerability and suggests actions to efficiently fix the issues.
Here’s how:
Focus on binaries as well as source code:
The modern software supply chain has just one core asset that is delivered into production: the software binary, which takes many forms - from package, to container, to archive file. Attackers are increasingly focusing on attacking binaries, as they contain more information than source code alone. By analyzing the binary as well as the source code, DevOps teams can provide a more complete picture of any impact or point of exploitation. This helps eliminate complexity and streamlines security detection, assessment, and remediation efforts.
Contextual analysis: Determining which vulnerabilities, weaknesses, and exposures need remediation and the most cost-effective way to do it
Serious vulnerabilities are being identified daily through the efforts of researchers and bug bounty programs. Yet these CVEs may or may not be exploitable, depending on factors such as the application's configurations, use of authentication mechanisms, and exposure of keys. DevOps-centric security looks at the context in which software is operating to prioritize and recommend how to remediate vulnerabilities quickly and effectively, without wasting developers’ time on non-applicable issues. It’s particularly important to be able to scan and analyze containers for open source vulnerabilities, since the use of containers to hide malicious code is now on the rise.
Providing a holistic view of the software supply chain
Through their involvement in each step of the software development process, DevOps teams offer a holistic view of a company’s software supply chain and all its weaknesses. DevOps-centric security analyzes binaries, infrastructure, integrations, releases, and flows all in one place, eliminating the confusion of disparate security systems with varying or limited information, and inconsistent reporting. Thus, when you implement security using DevOps processes, you not only scan to identify problems within the software, but also help developers prioritize and fix them quickly and easily.
In conclusion, organizations are facing a new era of software supply chain security threats. We believe the best way to intelligently deliver secure software at speed and scale is to adopt DevOps-centric security for your organization’s software supply chain.
This article was written in cooperation with Nati Davidi