Shifting Left and DevSecOps
DevSecOps extends the DevOps workflow to include automated security processes and tooling, giving you continuous and frictionless security testing that replaces disruptive bottlenecks at the end of the development process. This tighter integration also leads to better security outcomes, such as fewer vulnerabilities and enhanced compliance.
Shifting security left means baking security best practices into an application from the earliest design phases. In accepting shared responsibility for application security, shifting left requires developers to work closely with the security team throughout the software development life cycle.
Shifting left is not just a change of mindset. It also means equipping the development team with automated security tooling that supports their agile DevOps culture. According to the 2020 DevSecOps Community Survey, 47% of developers stated that they know security is important, but they don’t have time to spend on it. The types of tools that make security a frictionless part of development workflows include:
- Static application security testing (SAST) for automated white-box vulnerability and compliance testing of uncompiled application code as it is being written
- Dynamic application security testing (DAST) for automated black-box vulnerability and compliance testing of compiled code across all environments, from development to testing and production
- Interactive application security testing (IAST) for automated testing of web and mobile applications, working from within to detect and report runtime issues (Although it runs on post-build code, IAST leverages code instrumentation to alert developers to specific problematic lines of code.)
- Source composition analysis (SCA) to discover all application dependencies, such as open-source frameworks and libraries, and scan them for known vulnerabilities as well as for licensing compliance
- Container scanners to provide vulnerability and compliance assessments as well as workload protection for containers, from development through runtime
The Benefits of DevSecOps for Your Business
According to the National Institute of Standards and Technologies (NIST), the cost of fixing a security issue after deployment into production can be 30 times higher than if it is caught and dealt with in the earliest stages of the software development life cycle. Beyond the high direct costs involved in fixing a security issue in late development stages, if the application has already been deployed into production, there can also be significant indirect costs related to end-user experience and satisfaction, loss of revenues, and brand damage.
In addition to catching security issues earlier, other ways that DevSecOps practices yield measurable business benefits include:
- Faster deployment speeds are correlated with higher profitability. Our analyses have shown that organizations implementing DevSecOps effectively deploy code 46 times more frequently and 46% faster. Plus, with DevSecOps, faster, more frequent, and more successful deployments are achieved without sacrificing security.
- Similarly, the agile DevSecOps approach to change-management promotes greater speed and innovation in response to rapidly changing needs. Well-implemented DevSecOps workflows improve lead times, allowing your teams to deliver business value faster.
- DevSecOps unloads some of the stress that is typical in today’s overstretched security teams. Forbes makes it clear that, as we enter 2021, the shortage of experienced cybersecurity professionals is only going to get worse. Freeing up your security professionals from routine security tasks helps close potential cybersecurity gaps, with the added benefit of letting your security team focus on more strategic security issues that can improve business outcomes.
- DevSecOps improves security posture management and cuts compliance and governance costs by automating the collection of metrics and proof of controls. The 2020 DevSecOps Community Survey shows that DevOps/DevSecOps-mature organizations are two times more likely to have incorporated automated governance and compliance into their development process. Automated and continuous security posture management, including monitoring and remediation, ensures that your company is ready for an audit at any time.
- DevSecOps monitoring and remediation practices reduce the mean time to resolve (MTTR) security incidents, which is a business-critical KPI. Although preventing an incident is the primary goal of DevSecOps, quickly identifying and mitigating a breach is an important benefit of advanced security controls across all environments, including on-premises, cloud, or hybrid production environments. In our thorough analysis of the Sunburst attack that headlined 2020, we show how well-implemented security best practices, including network mitigation and automated event analysis, contribute to significantly faster identification and remediation of the breach.
Yet another important benefit—and one that is often forgotten—is that DevSecOps positions your company to take full advantage of the cloud-native infrastructures and technologies that are key to maintaining a competitive edge in today’s digital world.
Developing a DevSecOps Culture
DevSecOps is not just a set of best practices. It merges what are often considered two conflicting goals—secure code and speedy delivery—into a single process. DevSecOps requires a culture of openness and transparency in which development, operations, and security teams are prepared to collaborate, each taking on new roles and learning new skills in order to achieve constantly improving outcomes.
In reality, however, the road to DevSecOps is often strewn with obstacles. In the GitLab 2020 DevSecOps Survey, 28% of the developers stated that they are handling security on their own, while 65% of security teams indicated that their organizations have “shifted left.” Still, only 25% of organizations could claim that automated testing is carried out on code being written, and in many organizations, developers do not have access to SAST and DAST scan reports.
The DevSecOps Manifesto is an excellent guide for understanding the values around which organizations should be building their DevSecOps culture. Some key issues to keep in mind include:
- Security shares the same corporate values around which the development team, operations, and other stakeholders are aligned.
- Security teams should seek to add value without creating friction, becoming enablers rather than constrainers.
- Innovation is a core shared value, but data must be protected at all stages of the software product life cycle.
- Security and compliance should be consumed as services in a Security as Code approach.
- Continuous monitoring and advanced security testing should be used to proactively identify anomalies, after which all teams should rally around actionable remediation steps.
The DevSecOps Stack
DevSecOps requires a stack of tools that cover the full range of requirements, including continuous integration (CI), source code version control, continuous testing and monitoring, containerization, orchestration, configuration management and deployment, cloud/hybrid network security and intelligence, cloud security posture management, and workload protection.
The Check Point Approach to DevSecOps
For a number of years now, Check Point has argued that DevSecOps is simply DevOps done right. After all, no organization intends for its CI/CD pipelines to deploy workloads, services, or applications that endanger its networks and systems.
Check Point CloudGuard is a cloud-native security platform that delivers an array of advanced security solutions to support DevSecOps best practices across an organization. Out-of-the-box CloudGuard seamlessly integrates with all of your platforms and applications to instantly protect your assets. It is also easily customized with a flexible rules-engine and an easy-to-understand Global Security Language (GSL) syntax.
CloudGuard provides advanced and proactive threat prevention with dynamic scalability, intelligent provisioning, and consistent control across all networks (physical and virtual), from CI/CD to production. Its key features include:
- Cloud Network Security: CloudGuard network security gateways use a zero-trust approach to deliver advanced threat prevention while upholding all of the benefits of cloud infrastructure such as automation, agility, scalability, high availability, elasticity, and efficiency. CloudGuard uses deep traffic inspection and highly granular matching policies to identify and block intrusion attempts in real time. CloudGuard enforces a consistent corporate security policy from a single management console, letting you view security events across complex environments and correlate events to applications and policies.
- Cloud Security Posture Management: CloudGuard’s High Fidelity Posture Management (HFPM) lets your organization shift security left with confidence. CloudGuard’s seamless integration with CI/CD template-oriented, Infrastructure as Code tools such as CloudFormation and Terraform ensure that compliance with regulatory standards and security best practices is always up to date and consistently enforced (including auto-remediation)—from pre-deployment assessments to scaling automatically across hundreds of thousands of cloud assets. CloudGuard HFPM also provides granular, intuitive, and end-to-end security posture visualization.
- Workload Protection (Containers & Serverless): CloudGuard’s comprehensive solution automatically delivers observability, least-privilege access, and active threat prevention for all modern workloads, including serverless, container, and microservices. Also, it automatically secures containers and Kubernetes services, ensuring compliance with industry standards and benchmarks and auto-remediation for continuous security and compliance. CloudGuard automatically protects serverless functions as well via behavioral and least-privilege defenses, with little to no impact on function performance.
- Web Application and API Protection (WAAP): ML-based Deep Application Contextual Analysis ensures that web applications benefit from maximum security with minimal false positives. CloudGuard AppSecprotects applications regardless of where they are deployed—in the data center or on private or public clouds—and auto-configures to changes in network architecture or CI/CD processes. It works across all application architectures, including modern highly distributed API-based applications, where it automatically validates API requests and patches vulnerabilities as required.
- Cloud Intelligence and Threat Hunting: CloudGuard Intelligence ingests, enriches, and analyzes cloud-native log and event data from all of your cloud providers to deliver highly contextualized and comprehensive visualizations of your public cloud infrastructure’s security status. CloudGuard Intelligence identifies and investigates security threats using Check Point’s ThreatCloud, the world’s most comprehensive security intelligence database. Based on user-defined criteria, CloudGuard issues real-time intrusion detection and policy violation alerts. In addition, all CheckPoint enforcement points, including CloudGuard gateways, are updated automatically if threat emulation on any Check Point appliance—anywhere—generates a new threat signature.
DevSecOps is a natural evolution of the CI/CD culture of rapid application delivery. The shift-left DevSecOps approach means that developers must get the security tools they need for frictionless testing and remediation throughout the software development lifecycle. However, investing in DevSecOps has been shown to deliver returns at many levels. It catches security issues much earlier, when they are less expensive to fix, and generally reduces the MTTR of security incidents. It also improves security posture management while cutting compliance and governance costs. Plus, it accelerates deployment speed and improves lead times so that business value can be captured faster.
Check Point CloudGuard is a cloud-native security platform that delivers an array of advanced security solutions to support DevSecOps best practices across an organization, from cloud network security, cloud security posture management, and workload protection to web app and API protection as well as proactive threat intelligence and prevention.