The process of DevOps, and with the security element sometimes included in the name, often relies on collaboration. With teams now mostly working remotely, could the COVID-19 pandemic lead to less secure software?
Speaking to Infosecurity, Manish Gupta, CEO of ShiftLeft, said he believes that the inability to adequately and successfully patch operating systems and applications and to embrace more secure DevOps practices is a common cybersecurity failing.
So given the current circumstances, will DevOps be disrupted? Gupta said that while offline business has been harder to conduct, online business has been easier to conduct, and therefore there has been a shift in the way we work. “That is making companies more rapidly embrace the cloud, and rapidly embrace e-commerce and SaaS and all will accelerate the adoption of DevOps,” he added.
Amidst all of this, Gupta said that things will be done quicker and corners will be cut, and this will lead to an increase in doing DevOps more urgently. What about the physical and proximity-based factors of DevOps, is it achieved better by people working together? Gupta argued that DevOps is almost the opposite in terms of requiring proximity, as the waterfall model requires in-person collaboration.
“With DevOps, we are asking systems and machines to do a lot of the work that we used to do in the past,” he said, “and eventually the machines did a lot of the development work, and systems replaced the offline collaboration.”
Gupta said that “born in the cloud” companies have the benefit of starting with a clean slate, and could adopt more modern practices. Those companies who were older would need to adopt more agile practices, he claimed, and will not go back to normal after the COVID-19 pandemic ends.
From an application security perspective, is this similar to the DevOps situation, as in the way we now work is the way things will remain? Gupta said he believed that the world has moved to adopt a SaaS model, and within that, application security will become more important, as the “security of your software includes your applications” even when hosted in an IaaS environment.
“This technology is being used in modern practices, partly because there were no substitutes available”
Therefore, over the last five years, we have seen an increase in SaaS, and more application security. However, Gupta said the part we have not done as well in application security is continuing to use tools that “are about 15-years-old,” and he said he could not think of another part of the industry where we are using such old technology. “This technology is being used in modern practices, partly because there were no substitutes available, and that has been our focus, to reimagine how application security should be done in this modern era,” he said.
Gupta explained that the world which existed 15 years ago is very different to today, where there was waterfall development processes and releases every six months and upgrades once a year, but now multiple releases are done every hour “so speed of development has significantly increased.” Also, there was much less use of open source and third party libraries 15 years ago, whilst now most applications use these.
The third change, Gupta said, was around the personnel. As you could have 100 developers working for months and then hand over to the security team “and in this whole year-long process you have ample time baked in for the application security team to review the software, run it through code analysis and sift through the vulnerabilities, and see which are false positives and what needs to be fixed.” Gupta said this was OK in the waterfall era, as this took time and we had time to ship the software, but today if you are doing daily or weekly releases, you do not have the luxury of time, and the 100 developers to one application security ratio “is untenable” as you need more automation and tools which are faster.
He said that if we continue to do things as we have for the past 15 years, with 100 developers to one application security person, we will not scale as an industry “as no company can afford to hire 100 developers and maybe 20 application security staff,” so what needs to happen is for modern security tools need to be used “as we no longer have hours or days to run analysis” and for every time a change is made by a developer, they are told about the security implication.
“That is the same for DevOps automation that has allowed developers to do what they are able to today,” he said. “The level of automation and insight into apps and application security has been relegated to the back burner, but modern technologies like ours are enabling application security to be seamlessly interested and automated into the modern DevOps pipeline.”
In conclusion, did Gupta believe that there would be more positive steps forward in the future in the worlds of DevOps and application security? He said that software is becoming an important ingredient for all companies now, and the conversation is opening up to discuss accuracy of application security programs as a result.
Join Infosecurity and Contrast Security on 14 May for a live webinar on "The Power of Continuous AppSec and How to Achieve It." Register here to attend.