Security at the Speed of DevOps
Attackers move at speed and DevOps needs to too. In a world where all systems are exploitable what do you exploit to keep up and stay secure? Twenty percent of organisations are estimated to have had a breach (or suspected breach) due to open source components in the last 12 months alone. On top of that, we are now close to a future where viruses can learn and humans still remain as easy to social engineer as ever. So, what do we do? In a fast- moving, content- packed presentation by Adam McMurchie, the Head of DevOps at Barclays Bank during the recent UK Elite CISO Summit, delegates were given some top tips. Here is a taster of what he covered.
"When it comes to pragmatic DevSecOps, if you aim for everything, you may end up with nothing"
Adam McMurchie, Head of DevOps, Barclays Bank PLC
Gaining Consistency in DevSecOps
Like everything else in security, strategy and a canny approach will give you foundations that flex with the speed of the attackers’ innovation. Here are six suggestions:
Code - release code in small chunks and use a ‘microservice architecture’ approach while sitting code in development scrums.
Change - the ITIL approach is broken. Why? Additional fixes do need to be and can be done on- the-fly, and remember EMCRs aren’t always an emergency!
Compliance Monitoring - it can actually be a good thing. By applying a continuous auditing approach, you can actually help yourself get ahead of the curve by picking up evidence as you work and before it is asked for. Toolwise, Checkmarx was a recommendation here.
Infrastructure - Take the position of ‘Everything as Code’
People - it’s all about education and motivation and the ‘carrot and stick’should stay in the last century. As an extrinsic driver it does not work over the long-term and does not motivate people to be aware and care. What we do know is that you need to remediate your people vulnerabilities and essentially that comes down to training and for that to be successful you need to make it relevant to them.
Vulnerabilities - it’s all about consolidation and the removal of duplication. Self-healing networks and infrastructure can be created by pro-active patching, fixing and periodic pen- testing as a part of the DevOps cycle.
Oiling the Development Cycle Wheels
If we’re moving fast, how do we oil the dev cycle wheels to make the security / development balance easier to achieve? A toolbox suggested by McMurchie included:
Communications Tools - apps like ‘Slack’ and ‘Chat’ give users the opportunity to report and act on things quickly with quick react buttons that can be installed in toolbars.
Hack the backlog - these user stories and experiences can be used as a part of threat hunting and education for teams.
Make your pipelines smart - automating your automation through taking your Jenkins/CICD logs, parse building code as a label and training a Neural Network in your systems to identify patterns.
Governance- as- Code - opt for a governance as code standpoint with all human and non- human activities controlled by a change co-ordinator. Applying a release tool (such as UrbanCode or XL release) is important.
Code Amnesty - only in an environment where anyone is free to put their hand up without fear of reprisal or being considered they are wasting time can a true security culture thrive. A code amnesty gives everyone the chance to put forward half-finished code for others to pick up or to declare buggy code without reparations.
Tools that can help - the following are tool suggestions to help maximise time and efficiency: Cyberchef, Hack the Box, Pwned, My Compendium, Digital Attack Map.
The demands of our commercial world are not ceasing from market competition to proactive defence, and this requires re-thinking DevOps from the bottom-up by innovating both processes and tools to deal to keep pace.