IT workloads are increasingly moving to the cloud, changing the way organizations develop and deliver software. Deploying and running production systems is now separate from the hardware and network, infrastructure is defined through code, and operations are now part of cloud service APIs.
What does this mean for security?
- Security professionals need to be able to read and write code.
- They need to build security tests into the continuous integration/continuous delivery pipelines (CI)/(CD).
- They need to understand the different cloud architectures and platforms.
- Security tests need to be conducted at a fast pace that won’t impact the speed of software deployments.
Ideally … security needs to become code.
But how are we doing on this quest to the future state of security? SANS Institute examined 281 global organizations to find out what security teams need to understand about software development to meet the demand of high-velocity software deliveries, the skills they need to catch vulnerabilities early, and the impact that cloud architectures and platforms have on this effort.
For starters, the survey found that 97 percent of organizations use a public cloud provider. But these organizations aren’t sticking to just one cloud provider. Over 57 percent of organizations use three or more cloud platforms. Since every cloud platform is different in terms of configuration models, APIs, and services, using multiple can present operational and security challenges. Ideally, organizations need to leverage cloud-agnostic tools – like Terraform – to configure and provision services across multiple cloud platforms using the same toolset and language. Better yet, organizations should be automating cloud configuration through code and platform APIs.
Velocity of Delivery and Security Testing
With the transition to the cloud and DevOps practices, organizations have been able to deploy new software faster than ever. In fact, the velocity of software delivery has been increased by 14 percent over the past five years alone. But security scans have been lagging behind, causing many organizations to release vulnerable software to production. The survey found that, in most instances, security scans are delayed because organizations are using manual testing instead of automated testing. Only 29 percent of organizations have automated 75 percent or more of their security testing, and fewer than half of organizations have security tests automated into their coding workflows.
Software deployments aren’t the only thing speeding up. Cyberattacks are also on the rise – happening more frequently and with greater sophistication. Unfortunately, most organizations are not remediating flaws fast enough. Only half of organizations resolve flaws in under a week. Once again, this lag is the result of manual security testing instead of automated testing. As stated in the survey, “Organizations need to leverage DevOps and Agile practices, and automated build chains and automated testing, to get patches out faster with confidence.”
Barriers and Enablers
If automating build chains and security tests are ideal, why aren’t more organizations transitioning to DevSecOps? The survey uncovered that organizational challenges are to blame. The biggest barriers to entry stem from organizational silos, lack of funding, and limited resources/skills.
However, that doesn’t mean that the transition to DevSecOps isn’t possible. Many organizations are successfully transitioning to DevSecOps by leveraging secure coding training, improving communication across the developer, operations, and security teams, and securing management buy-in.
When developers and security professionals have secure coding knowledge, they can fix vulnerabilities without having to spend time on Google or Stack Overflow learning remediation tactics. Best of all? With the right knowledge and buy-in, developers and security professionals can integrate automated testing into build chains, automate builds, and enforce security and compliance policies in code.
To learn more about the survey and ways to move security into code, download A SANS Survey: Rethinking the Sec in DevSecOps: Security as Code.