As enterprises increasingly embrace cloud innovation, there is the inevitable move of more and more sensitive applications and workloads to the cloud. DevOps is at the center of this migration, facilitating business scalability and innovation that’s needed for success. But with the threat landscape evolving at breakneck speed, it’s getting increasingly difficult for enterprises to secure their application testing, development, and production environments.
Released this week in concert with the RSA Conference in San Francisco, a new report from KPMG touches on a number of topics related to cybersecurity, including application security (AppSec). No longer relegated to its own silo, DevOps must be integrated into the broader security ecosystem. KPMG Principal and Cyber Security Global Co-Leader Tony Buffomante explains: “As SecOps teams work to integrate security priorities with software and process development, essential task should be automated wherever possible across analytics-based solution—from access and fraud alerts to data privacy and risk mitigation, to name just a few—for both effectiveness and cost reduction.”
BUSINESS ALIGNMENT, AUTOMATION, AND OTHER REPORT TAKEAWAYS
Following are some of the key takeaways for those interested in AppSec from the KPMG report.
Security as an end-to-end priority
To bridge the divide between cybersecurity on one side and business acceleration through digital transformation on the other, CISOs must have a firm grasp of the business and build bridges and alliances with key business stakeholders. Security teams, according to the report, “must become strategic, forward-thinking resources for the business.” To do so, security teams must regularly communicate with business leaders about what the organization needs to worry about today. It is only through these collaborative interactions with business leaders and DevOps teams that CISOs can elevate security to an end-to-end priority.
Automation of application security is critical
Automation is a key focus for technology and security leaders across multiple functions. The KPMG report notes that “companies are working hard to automate functions that have been purely manual by pulling together historically disparate data sets.” Today, enterprises can gather as much data as they want when it comes to things like identity authentication and threat detection. And security teams are now able to combine third-party tools with in-house solutions to innovate and automate security solutions, while aligning with business objectives as well.
Traditional AppSec is an area replete with manual, time-consuming processes that slow development cycles and create significant inefficiencies. KPMG Principal Steve Barlock in the report calls for "automation in the build process through DevOps." He believes that automation and security should work together. This should be done "to the extent that you can reduce manual configuration in that environment and automate builds.” And it simply isn’t for testing and development; AppSec needs to extend to production environments, delivering end-to-end protection. “On the operation side," he observes, "you have the potential to automate controls and monitoring on the backend. I think that is going to be a key technique for handling the scale that comes with cloud."
Leveraging instrumentation, Contrast DevOps-Native AppSec Platform is integrated into applications, providing continuous application testing and development. This enables development teams to automate vulnerability identification. This saves development teams significant time tracing down vulnerabilities and investigating false positives. For production environments, Contrast Protect runtime application security (RASP) runs within the application. This provides real-time identification of attacks so that security and development teams can remediate vulnerabilities quickly and effectively.
Ensuring compliance with regulations
Technology risk is increasingly equated with an organization’s ability to comply with industry regulations and security standards. This has not gone unnoticed by the C-suite and board of directors as well. This growth in compliance focus is exacerbated by variances from country to country. The KPMG report explains it as following: “With so many countries having issued rules to comply with certain elements of the General Data Protection Regulation [GDPR], or their own privacy laws, we’re seeing—especially with larger multinational companies—the creation of new, proactive data management departments.”
These regulations are accompanied by security standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. All aspects of security, including DevOps, now require regular auditing and compliance verification—whether by external auditors or internal constituents.
These regulations stipulate that cyber resiliency must be embedded into the overall application architecture and processes. Unlike legacy static application security testing (SAST) and dynamic application security testing (DAST), Contrast’s continuous, instrumentation-based AppSec combines SAST, DAST, software composition analysis (SCA), and interactive application security testing (IAST) into the application. Additionally, Contrast extends security beyond the build and development phase of the software development life cycle (SDLC) to production with runtime application self-protection (RASP). This end-to-end DevOps-Native AppSec Platform builds compliance reporting directly into the application, thereby obviating the need for an additional security specialist to generate compliance reports.
Implications for Security and Development Teams
The KPMG report highlights a long list of cybersecurity focus areas for 2020. For AppSec, there are three key takeaways that security and development teams can apply to their 2020 AppSec strategies:
Integrations are critical. Many DevOps teams rely on multiple clouds, containers, and microservices for application testing, development, and production. The ability integrate with this alphabet soup of technologies is key. Security and development leaders need to seek out an AppSec platform that provides seamless deployment and management within any number of DevOps solution configurations.
Speed of DevOps. Business acceleration is a critical measurement for CEOs, and digital transformation must deliver at the speed and agility this requires. AppSec must enable development teams to code and release faster while gaining operational momentum. Too often developers are reticent to embrace AppSec because it slows these cycles.
C-suite and board priorities. DevOps environments are typically seen as a hotbed of digital innovation by CEOs and the board of directors. And while the majority of CEOs and even board of directors cite cybersecurity as a top priority today, they concurrent admit that they are willing to sacrifice security for the sake of business speed and agility.
Executives such as the CIO or CTO need a clear understanding of the vulnerabilities their organizations face and how those translate into organizational risk. Security leaders must articulate DevOps vulnerabilities and the attacks that can exploit them into a lingua franca that developers as well as the C-suite and board of directors can understand. Until they do so, application security will not be shown the attention it needs.
Modern DevOps-Native AppSec
Digital transformation presents businesses with immense opportunities, and DevOps is an area where significant rewards are being reaped. Yet, without a modern AppSec platform, DevOps initiatives can be delayed, waste valuable time and money, and expose organizations to serious risk. Contrast DevOps-Native AppSec Platform transforms old-school AppSec technology and practices into capabilities that save time and money while lowering risk by focusing on the vulnerabilities that matter.