Sonrai CEO: Next Phase of DevSecOps Starts Now
Organizations of all sizes need to start shifting toward a new phase of DevSecOps that finally unifies application development and security workflows, according to Sonrai Security CEO Brendan Hannigan.
After launching the Sonrai Dig platform that continuously monitors applications based on microservices to identify potential security risks, Hannigan said the time has come to move beyond simply putting security tools in the hands of developers. In its place is emerging a DevSecOps phase that enables developers and cybersecurity teams to work more collaboratively in near real-time.
As the founder of Q1 Labs, a security intelligence platform acquired by IBM, and chairman of Twistlock, a provider of a container security platform, Hannigan has seen more than a few cybersecurity epochs. What’s changing now is for the first time there are security posture management tools that enable cybersecurity teams to proactively verify the proper controls are in place without having to be directly embedded with the application development process, he said.
The first phase of DevSecOps was marked by getting more cybersecurity tools into the hands of developers. This next phase will be defined by integrated DevSecOps workflows created to address the unique attributes of cloud-native applications built microservices, Hannigan said.
As each microservice is constructed it becomes instantly possible to understand the security implications using a set of graph-based tools that not only discover the microservices but also surface all the potential security issues an organization consciously needs to approve. The core issue cybersecurity teams are contending with today is that given all the dependencies that exist between microservices, it’s not possible to know whether a microservice that has just been deployed has implicitly given any existing microservices permission to access data in ways that no one in the IT organization can easily see or comprehend.
Much of the current focus on DevSecOps is being driven by incidents involving, for example, S3 buckets on the Amazon Web Services (AWS) public cloud involving ports that have been left open due to misconfigurations that occurred when developers employed tools such as Terraform to automate the provisioning of infrastructure. When most application workloads were deployed in an on-premises IT environment, most infrastructure security issues were addressed by an internal cybersecurity team. Now that infrastructure is managed as code in the cloud by the developer, that review process has been effectively eliminated.
Hannigan is not making a case for a return to legacy cybersecurity processes. Rather, cybersecurity process should be modernized to align with application development processes that takes DevSecOps to the next level, he said.
Human errors in the form of misconfigurations and escalated privileges have become the bane of cloud security. It’s not that cloud platforms are any less secure than on-premises IT environment; however, the speed, scale and complexity of the application environments make it almost impossible for organizations to consistently ensure application security under a shared responsibility model. Cloud service providers have made it abundantly clear that securing applications running on their platforms is not their job. The only thing they are promising is to secure the infrastructure on which those applications run.
As such, it’s the responsibility of the cybersecurity team to align their workflows around how modern applications are built, deployed and ultimately secured. Developers are clearly starting to assume more responsibility for embedding the appropriate security and compliance controls in their applications before they are deployed in a production environment. It’s now time for cybersecurity teams to re-engineer their own processes that verify those controls are in place because, as everyone knows, the road to cybersecurity hell is always paved with good developer intentions.