Whether it was the millions of users left vulnerable by Fortnite, or hackers gaining access to Dunkin’ customer accounts, 2019 has already seen some of the worst data breaches to date. To combat these types of attacks and vulnerabilities, organizations must be more cognizant of their security, and embrace a DevSecOps approach. And to do so, it is imperative that they provide the proper education and training for every facet of the organization.
But it is important to note when educating organizations about security that some practices and technologies should be encouraged, while others should be avoided. These teachings need to be tailored for different audiences as needed, and new ways of learning and fitting into a DevSecOps scope should be explored in great detail.
Whether that means exploring best practices around security training, metrics, skills and champions in the industry, it’s important to understand how each audience fits into the DevSecOps scope. In this blog post, I’ll help break down five tips for security training to achieve DevSecOps.
Security As A Shared Responsibility
First and foremost, DevOps teams need to learn that security is a responsibility that they must share with the security team. Without it, DevSecOps is impossible, and without DevSecOps, DevOps will not be secure. DevOps and security need to be taught how to discuss security issues together, so they can see all of the implications they entail – security, quality, legal, reputational – all combined.
Organizations will increasingly see their revenues, profits and brand loyalty impacted by their ability to create highly secure applications. And as more application-layer breaches are reported on by the media, security will need to be seen as a fundamental aspect alongside quality, stability, performance, functionality and ease-of-use.
Development and operations specialists should understand application vulnerabilities, their different categories and best practices to avoid making applications vulnerable. Without this training, developers and operations specialists likely won’t fully grasp just how important security is, and the effects it can have on the business.
Hackers exploit vulnerabilities that were (typically inadvertently) created by DevOps. For example, lack of input sanitization might lead to exploits, such as SQL injection or command injection. To combat this, DevOps specialists should be made security-aware, trained in secure programming practices, secure application configurations, and use of secure libraries and frameworks.
Regardless of their obvious importance, traditional training courses have some challenges. They are often taken well in advance of the project, where the acquired knowledge will be applied. If the lag between the completion of the course and the beginning of the project is more than a few months, then a trainee typically loses a great deal of acquired knowledge.
To solve these challenges, the security market has begun offering just-in-time learning. Just-in-time learning usually comes in conjunction with application security testing technology, such as SAST, DAST, or IAST. Just-in-time learning perfectly fits into the fast, minimal-delay DevSecOps paradigm, enabling rapid remediation of a rapidly detected vulnerability.
Avoid Making DevOps Specialists Security Experts
Application security technologies should be transparent to DevOps specialists, as security transparency is a critical condition for security adoption by the DevOps team. But security technologies should not distract DevOps specialists from development and operation. Instead, DevOps specialists should be security aware, and they should be applying best security development and deployment practices.
Yet, they should not become experts in security technologies. Security technologies should be enabled for a transparent invocation and operation by DevOps specialists directly from IDEs and build servers. Technologies should test applications and get results rapidly and directly to those who invoked them. DevOps should use security results, but relieved from learning and running sophisticated security detection and protection technologies.
Educate, Don’t Shame
When security technologies such as SAST, DAST, IAST, and SCA present detected vulnerabilities before DevOps specialists, it should be a learning experience for them. Unfortunately, the process can be embarrassing. Test results come back to their managers, and after their first review, reach developers. These developers then inevitably make mistakes, which cause vulnerabilities, and those vulnerabilities get revealed to the managers and peers.
To avoid “shame and blame,” developers need to find ways to minimize or ignore implementation of application security technologies. Thankfully, modern technologies offer ways to deal with these problems. Modern SAST, for example, enables developers to invoke tests out of an IDE, and return test results to the same IDE. The developer is the only one that sees the results of the test, and he/she can review and remediate vulnerabilities, and then submit another test, remediate, and so on, until all vulnerabilities get fixed. Shame and embarrassment gets replaced by education, and security is the reward.
By following all of these steps, and providing adequate training and education for your teams, DevSecOps implementation will finally become a reality for your organization. Stay tuned for the next three-parts in this series, which will explore best practices around security metrics, skills and champions in the industry.