Is security an inhibitor to DevOps agility?
To answer this question we would need to take a quick look at differences between DevOps, QA and Security when it comes to automation issues.
For those of us who have been involved on the front
lines of traditional AppSec activities such as penetration testing, dynamic or static code analysis, it may be obvious that the traditional tools and techniques we use were built more for waterfall-native rather than DevOps-native environments. Yet for executives who came to security from infrastructure, networking or development domains and have never run a security scan, the challenges of bringing traditional toolsets and practices into the new velocity expectations of DevSecOps may not be so obvious.
Today, it is common for many security executives to come from non-security domains -- in large part due to the shortage of security professionals. To understand the differences between the domains, we should first take a look at outcomes and measures of traditional security compared to other work. With this understanding, we can foster more empathy and then work on improving collaboration between the domains.
One key difference between DevOps, QA, and Security is that the first two are very much deterministic, while the latter is not. For security professionals, traditional approaches to determining risks or recommending directions to mitigate the risks often requires human decisions than machine-based actions.
The picture below helps to illustrate this point:
In the case of architecture review and threat modeling, which are two other important AppSec activities that are often required by compliance standards such as SOC 2, HIPAA or PCI, it becomes even more non-deterministic, because the results of analysis could be absolutely unpredictable and very much determined by an assessor’s background.
Needless to say that automation is nowhere close for this type of activities. The best we can do here is to get rid of unnecessary complexity, pseudo-scientific approaches to evaluating risks (e.g. DREAD) and describe the threats in a simple threat table with severities that everybody would easily understand, i.e. "Low", "Medium", "High".
Not understanding this simple truth leads to euphoria and to setting up wrong expectations. For example, a CISO who came from networking domain might say that a good networking appliance is all that is needed to completely automate security, while a CISO with a developer’s background might say that writing a lot of code will make security operate at DevOps-native speeds. While both approaches may help accelerate more deterministic forms of security checks, relying on these approaches alone will introduce blind spots where humans are best suited to make the right decisions. For those CISO’s who solely rely on deterministic approaches to security, their tenure may be cut short when their CEO or CTO understands that their promises to completely automate security will never materialize.
Does it mean that there is nothing we can do to automate security and make it faster? Of course not. As security engineers we can and we should look for new ways to benefit from automation and more deterministic security approaches. These concepts are not new and have been catching on in recent years. Personally, I’ve been talking about these practices for almost three years by now: first at LASCON 2015 “How Traditional AppSec Needs to Change”, then at AppSecCali 2016 “Making Security Agile” and just recently at RSA 2017 DevOps “Getting Security Up to Speed”.
Information security has the opportunity to be less of an inhibitor to DevOps practices when the right approach is taken. That said, we should always take into consideration the non-deterministic nature of some necessary security practices and set the expectations right when talking to executives.
The bottom line, security is seen as an inhibitor to DevOps agility because it is an inhibitor in many ways. Humans efforts cannot always be automated, but there are opportunities to improve it by researching new approaches. In this regard, my big hope is that we’ll see a deeper penetration of AI and machine learning into the security domain. It won’t be easy, but the progress in the Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS) space makes me think that it will eventually help automating traditional AppSec activities as well.
Want to learn more about DevSecOps?
This blog is one of seven in a series providing expert commentary and analysis on the results from Sonatype’s 2017 DevSecOps Community Survey. For access to all of the blogs in this series and the survey report, please visit: www.Sonatype.com/2017survey.