Beruflich Dokumente
Kultur Dokumente
BY DAVID RUBINSTEIN even find and correct errors in code, reduce the attack surface in their appli-
but who largely have not been trained cations as they code. “Today’s reality is
D
evSecOps has come to be on security best practices. that developers don’t code securely,”
known by many as the shifting “People have this idea that shifting the report stated. “When measured
left of security, making it a key left is taking the things you’re currently against major industry vulnerability
part of software development while doing and pushing them on to the devel- standards, 70 percent of applications
code is being written, as opposed to try- opers,” Williams said. “I call it shitting fail security testing on the first scan.”
ing to put security onto the application left. It doesn’t work. The way that secu- None of this is to say developers are
after it’s completed. rity works today is largely built around at fault here. Forrester noted that the
This follows the trends of DevOps, experts, using expert tools. You can’t just top 40 computer science programs in
which moved operational considera- take those same tools and shove them the United States do not require secure
tions for applications into development, onto developers who don’t have the skills coding or application design in their
as well as software testing — though or background to be effective using curricula.
the term DevTestOps hasn’t really them, and expect great results. All you’re Yet Williams cautioned against tak-
caught on. going to do is create a lot of alienated ing too much of a developer-centric
And DevSecOps, like many initia- developers who don’t do good security. view of DevSecOps, and noted that
tives in their early stages, has awareness You’re probably going to end up hurting many people trying to do it correctly
but often is not well understood. “Peo- security overall.” simply forget about the ‘extending
ple recognize the term DevSecOps and That could be problematic for right’ part of DevSecOps.
have a general notion of what it means,” organizations where security is a priori- Particularly in application security,
said Jeff Williams, co-founder and CTO ty, as 73 percent responding to a recent Williams said most organizations don’t
at Contrast Security. “It means shifting Forrester study said it is. Trusting have any idea of who’s attacking them, or
left and automating security somehow, developers alone with security is the what attack vectors they’re using to go
but in practice we’re really just at the wrong approach, as developers are after them, or what systems they’re tar-
very early stages of this. I think most often the ones introducing insecure geting. Large organizations, he said, are
folks don’t have a very well-formed idea code into their applications through the blind at that level and they don’t have a
of exactly what they need to do [for] use of open-source components. way of stopping those attacks or using
DevSecOps. In fact, I think most peo- The Forrester report found there intelligence of how they’re being
ple get it dramatically wrong.” were 17,308 vulnerabilities published attacked to drive their security strategy.
Shifting left, of course, puts even in 2018, up 23 percent from a year ear- “It’s that kind of feedback loop that’s one
more responsibility on developers, who lier. It also indicated that a best security of the real characteristics of DevOps,”
have been trained to write code, and practice would be to have developers he explained. “Someone attacks you
using a new attack, that should instantly have [the] time or skills to deal with means creating tight security feedback
drive changes in the product. But we inaccuracies. If we can achieve that in loops, and it means creating a culture of
don’t have that feedback loop, so really, dev, there are some really good down- security innovation and learning.
when I think about DevSecOps, it’s stream benefits from that. In CI/CD, “Those are the three ways of DevOps
about continuing to do what you do now both traditional and what we might call and I think they’re essentially the same
— generate assurance — but extend left QA, in that stage, I think the goal has to for security,” he added. “But very few
and extend right. This idea of shifting be to generate assurance; that what organizations are really focused on that.
left is dumb, and dangerous. It’s unfortu- you’re pushing into production has been They’re focused on let’s buy some new
nate, but those [advocating shift left] are thoroughly tested and is free of vulnera- tool and plug it into our CI/CD
people who haven’t thought it through bilities.” pipeline, and bam! We’re DevSecOps.
very well.” Traditionally, this assurance came But that is not how it works. You’re not
from a big test after the application was going to achieve a transition overnight.
Doing DevSecOps effectively complete. So by pushing all that to the You’re gonna have to do it piece by
Today, many organizations are just tak- left, that final assurance is lost. But, if piece over the course of years.”
ing the DevSecOps name and pinning it security has been factored in earlier in DevSecOps, by its very definition,
on trivial modifications of what they’ve the process, the big test should find encompasses the entire stack, from cod-
been doing, and it’s not really that, nothing because tests were done along ing, to UI, to the infrastructure it’s run-
Williams said. “DevSecOps is a funda- the way and any found vulnerabilities ning on, and Williams added that the
mental transformation of security the would have been remediated. whole stack is turning into software. “If
way that DevOps is a fundamental There is no assurance, though, that you’re deploying into the cloud, you’ve
transformation of the way we build soft- an effort to do DevSecOps effectively got a container on top of that, maybe
ware,” he explained. “My friend at will succeed, because — like Agile, you’ve got an app server running in the
Comcast runs their security program DevOps and Value Stream — the container, you’ve got libraries in the app
and says vendors are putting DevSec- methodologies are not prescriptive. server in the container, and you’ve got
Ops lipstick on a traditional security pig, Organizations are usually left to their trusted code running on top of the app
because they’re not fundamentally own devices to determine how they are server... but it’s all really software.”
changing how their products work; going to realize the benefits.
they’re just kind of taping them onto a “There’s some real value in DevSec- Inside out, outside in, perpetual change
DevOps pipeline and going, “Yep, we’re Ops and I don’t want to see the term To have an effective DevSecOps prac-
DevSecOps! Look!” get watered down to apply to anything tice, you have to approach security at
Williams went on to say the organiza- that’s security,” he said. “I think it really each layer of the stack. If you’re run-
tions that are doing DevSecOps effec- does mean something. When I go back ning containers, you’ll need to create
tively are being smart about security to the fundamental principles of rules to ensure that the container has
across the entire software life cycle. “In DevOps, things like breaking down the no vulnerabilities, is built with the
dev, what that means is you empower work into small pieces to create flow, proper defenses, and that it’s being
developers to find and fix their own vul- creating tight feedback loops and creat- monitored at runtime.
nerabilities, fix their own code, and ing a culture of innovation and learning, “The old way we used to do that is
check in clean code,” Williams said. those three things, if you interpret with what I’ll call an outside-in
“Seems pretty straightforward, and them for security, that’s DevSecOps. So approach,” Williams explained. “We
automation is a big part of that. It’s got to that means breaking security work used to put a firewall around it and scan
be accurate, because developers don’t down to small pieces to create flow; it the shit out of it, and try to see if the
whole thing is secure. The problem is,
modern architectures are much too
A self-protecting prophecy complicated for that. I think the effec-
Cybersecurity expert Ed Amoroso talks about a model he tive approach today is to get inside the
calls Explode-Offload-Reload. Contrast Security’s Jeff thing we’re trying to secure. If you’re
Williams explained: “What that means is as you move from trying to secure a container, you need to
the traditional internal monolithic applications, you need to explode be inside the container asking those
them into pieces, and move each of those workloads into the cloud, that’s off-loading, questions about security. If you’re trying
and then reload means adding those protections back to the stack that runs that to secure an app server, you need to be
code, creating a secure, self-protecting instance in the cloud. Instead of having one inside the app server. If you’re trying to
big wall, now you’ve got a whole bunch of little walls. It’s not even good to think about secure custom code, you need to be
walls; it’s really just to secure applications that are able to protect themselves. But I
inside that custom code. That’s where
like that description because he’s talking about how organizations can move from a
you have all the information to make a
very sort of traditional outside-in approach to security to the future, which is this self-
protecting way of doing things.” z
smart decision about whether something
— David Rubinstein
is secure or not.”
Why do the same vulnerabilities keep showing up?
Jeff Williams, co-founder and CTO of security is a lot better,” Williams said. vulnerabilities and trying to remediate
Contrast Security, created the OWASP “It’s hard to believe that it’s almost 20 them as opposed to changing the way
Top Ten list, first published in 2003. While years later. Part of me is like, they’re dif- that we interact with databases. If every-
he’s proud of the work done, he’s a little ficult to solve because they’re pervasive one used prepared statements every-
disappointed that the list has not across so much code everywhere, and where, we’d be a lot closer to solving SQL
changed all that much in 16 years. some of them are tricky to find. But at injections. It’s when people write custom
“My thought at the time was, we’ll put the same time they’re also [doing] basic queries and concatenate in untrusted
this Top Ten out, we’ll solve some of blocking and tackling, like solving SQL data that we get into trouble.”
these issues and we’ll raise the bar over injection is not particularly hard. We’ve He said he believes the right path for-
time to get to a place where application taken this approach of mostly chasing ward is to give developers great automa-
tion so they just get alerted whenever they
What Williams described is an instru- of doing security. It doesn’t matter if oper the ability to create new function-
mentation-based approach to security. you’re rolling out tons of elastic servers ality and push it into production quick-
Contrast Security, he said, doesn’t do or you’re spinning up containers all over ly,” Williams said. “All security, espe-
container or cloud security. What Con- the place, because the security goes cially application security, has massive
trast does is instrument the application with the code. Trying to do that kind of scale problems. There are just not
layer so vulnerabilities can be found and protection with an outside-in approach enough people to do the work the old
so the team can prevent vulnerabilities is impossible, because you can never way, so you have to automate. Most big
from being exploited at runtime. keep the walls up around everything, organizations, they’re really only doing
“If you zoom out and look at that, and you can never scan everything from effective application security on 10 per-
you can imagine instrumenting each the outside, because what’s in there cent of their applications. They only
layer of the stack with the right prod- keeps changing, moving.” secure the public-facing stuff, or the
ucts, and then that stack is secure. It As Williams said, automation must ones they deem to be critical. They’re
secures itself. And then you can put that play a big role in DevSecOps, because not securing all their applications, and
stack wherever you want. If you want to automation is what creates the it’s a huge risk. The only way to fix that
put it internally, in an internal data cen- guardrails around your development problem is we’ve got to change the eco-
ter, great. If you want to put it in the pipeline, to ensure no bugs or vulnera- nomics. We’ve got to figure out a force
cloud, great. The security goes with the bilities sneak into the code and gets multiplier, and I believe that is DevSec-
code. For me, we’re talking about secur- pushed into production. “So you have Ops. By empowering developers, we
ing everything, and that’s a very this automated pipeline that does all can use the big machinery of software
DevOps/Cloud/Container kind of way that work; that optimizes for the devel- development to do the security work.” z
029-33_SDT024.qxp_Layout 1 5/22/19 6:18 PM Page 32