Is security an inhibitor to DevOps agility?
To answer this question, we would need to look at the differences between DevOps, QA and Security in automation issues.
For those involved in traditional AppSec activities, such as penetration testing, dynamic or static code analysis, it may be obvious that the traditional tools and techniques we use were built more for waterfall-native than DevOps-native environments. Yet for executives who came to security from infrastructure, networking or development domains and have never run a security scan, the challenges of bringing traditional toolsets and practices into the new velocity expectations of DevSecOps may not be so obvious.
Today, many security executives come from non-security domains -- in large part due to the shortage of security professionals. To understand the differences between the domains, we should first look at outcomes and measures of traditional security compared to other work. With this understanding, we can foster more empathy and then work on improving collaboration between the domains.
One key difference between DevOps, QA, and Security is that the first two are very much deterministic, while the latter is not. For security professionals, traditional approaches to determining risks or recommending directions to mitigate the risks often require human decisions, not machine-based actions.
The picture below illustrates this point:
In the case of architecture review and threat modeling, which are two other important AppSec activities often required by compliance standards such as SOC 2, HIPAA or PCI, it becomes even more non-deterministic, because the results of analysis could be absolutely unpredictable and very much determined by an assessor’s background.
Needless to say, automation is nowhere close for this type of activity. The best we can do here is to get rid of unnecessary complexity, pseudo-scientific approaches to evaluating risks (e.g. DREAD) and describe the threats in a simple threat table with severities that everybody would easily understand, i.e. "Low", "Medium", "High".
Not understanding this simple truth leads to euphoria and wrong expectations. For example, a CISO who came from the networking domain might say that a good networking appliance is all that is needed to completely automate security, while a CISO with a developer's background might say that writing a lot of code will make security operate at DevOps-native speeds. While both approaches may help accelerate more deterministic forms of security checks, relying on these approaches alone will introduce blind spots where humans are best suited to make the right decisions. For those CISO’s who solely rely on deterministic approaches to security, their tenure may be cut short when their CEO or CTO understands that their promises to completely automate security will never materialize.
Does it mean there is nothing we can do to automate security and make it faster? Of course not. As security engineers, we can and should look for new ways to benefit from automation and more deterministic security approaches. These concepts are not new and have been catching on in recent years. Personally, I've been talking about these practices for almost three years: first at LASCON 2015 "How Traditional AppSec Needs to Change," then at AppSecCali 2016 "Making Security Agile" and recently at RSA 2017 DevOps "Getting Security Up to Speed."
Information security has the opportunity to be less of an inhibitor of DevOps practices when the right approach is taken. That said, we should always consider the non-deterministic nature of some necessary security practices and set the expectations right when talking to executives.
The bottom line, security is seen as an inhibitor of DevOps agility, because it is an inhibitor in many ways. Human efforts cannot always be automated, but there are opportunities to improve them by researching new approaches. In this regard, my big hope is that we'll see a deeper penetration of AI and machine learning into the security domain. It won't be easy, but the progress in the Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS) space makes me think it will eventually help automate traditional AppSec activities.
Want to learn more about DevSecOps?
This blog is one of seven in a series, providing expert commentary and analysis on the results from Sonatype's 2017 DevSecOps Community Survey. For access to all the blogs in this series and the survey report, please visit: www.Sonatype.com/2017survey.