Security experts from leading organisations in Australia discuss the rise and rise of modern application security
The role of security in application deployment is changing. Previously performed towards the end of the development process, today, continuous integration and continuous delivery or deployment (the CI/CD pipeline) means development, security and operations are now considered in parallel.
Daniela Fernandez, Head of Information Security at PayPal Australia, remembers the days when teams would spend months thinking about building and then testing applications before the security team got a look in.
“More often than not, flashy features from these applications had to be removed because they just didn’t pass the security standards,” she says.
Fernandez notes that, back in those days, security was seen as an inhibitor – the red tape limiting creativity and innovation.
Robert Owens, Chief Solutions and Technology Officer for the fintech start-up, Parakeet, has similar recollections.
“Once the app or product was deployed, once it was ready to be released into production, that’s when you would commission a penetration test or run vulnerability scanning. That would be very much towards the tail end of a project, once all the feature development had been done,” he says.
“When you did this, you naturally got a laundry list of issues, and because it had been pushed back to as late as humanly possible it was quite a challenge to then determine how all the issues could be addressed.”
Today, adding the ‘Sec’ element means security has become an integral part of the DevOps way of working. Security is now considered throughout the entire end-to-end life cycle of DevOps, from planning all the way through to integration, deployment and then operating and learning from that, continuously improving.
Security is now everyone’s responsibility, including the developers who must ensure every code change is made reliably and securely. The new mantra is: ‘You build it, you secure it’.
Telstra’s Cyber Optimisation Principal, Stephen Bryant, describes the new way of working like this:
“DevSecOps is the formation of development, security and operations roles into one team with a unified process and common set of tools. It encourages all functional areas (dev, sec and ops) to understand each other, work together and share accountability.”
MYOB’s Head of Information and Cyber Security, Peter Wolski, believes the model encourages collaboration in cross-functional teams.
“We’ve given a lot of ownership of security to the engineering teams, so they take it seriously. And we are there to strongly support them,” he says.
Way of the Future
As long as software is suited to a DevOps approach, there’s a strong argument for DevSecOps to be included in every application delivery lifecycle.
Security can no longer be an afterthought, with code being handed to security late in the development process. Security must ‘shift left’ and be baked into the process right from the start.
Parakeet’s Chief Solutions and Technology Officer, Robert Owens, understands the importance of bringing in security earlier. He advocates more testing, more automation and more integration.
“If you don’t do it as part of the lifecycle, it’ll end up costing you more,” he says. Owens admits it’s easy, especially for start-ups, to duck the issue.
“People might say, ‘We don’t need a pipeline, we don’t need CI/CD because it’ll take us a month to build it. Whereas if I keep manually running the tests, I can just hit the deploy button now’,” he says.
“That’s okay while you’re bootstrapping things for the first couple of months. But as you start getting into production, and you start getting customers, your opportunities to build those automated processes and those security processes into your life cycles start to close out – because you’re addressing customer requirements, you’re doing sales, you’re doing bug fixes.
“You lose the window to put these things in, which means the only time you’re ever going to get to fix them is when a problem’s identified. If you’re lucky you’re the one who picks that up. If you’re unlucky it’s your customers who discover it. If you’re really unlucky, someone that you definitely don’t want to find it finds it.”
Embedding security by design also speeds up the process. DevSecOps enables security testing to occur seamlessly and automatically in the same timeframe when other development and testing are happening. The earlier a developer finds a flaw, the faster the fix. By putting security scans and their results in the workflow of software development, DevSecOps removes many of the barriers to resolution.
But it’s not only about the speed that comes from automation and finding security issues early, it’s also about better cultural alignment between engineering and security.
Embedding security in DevOps teams promotes closer working relationships and results in better attention to security needs. This can support enhanced security, continuous improvement and ongoing business value.
At Telstra – where software engineers have been supported by secure code and security tooling teams and using automated static application security testing and software composition analysis tools for almost five years – the results have been positive.
“We experience the best results when software teams engage with our application security experts early in the development cycle, integrate their development environments with our standard security tooling and maintain active communication,” Telstra’s Cyber Optimisation Principal, Stephen Bryant, says.
“Obviously, the culture and the operational excellence will vary depending on the experience, skills, and resourcing of each team, but we’ve seen great results to date. “We see substantial improvements when developers, maintainers and security personnel collaborate using DevSecOps. It results in faster delivery on security considerations, and an increased security maturity level.”