The race to out-innovate one’s competition has led to high performing organizations chasing increased deployment velocities but often ignoring the quality of parts being used to manufacture their applications. It was 2003 when Bruce Schneier (@schneierblog) penned, "Today there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality."
As nimble organizations deliver new innovations using DevOps principles, adversaries are also upping their game, something we saw in a series of high profile and devastating cyber attacks last year. Adversaries have the intent and ability to exploit security vulnerabilities in the software supply chain - and in some cases plant the vulnerabilities themselves. They have increased scale through automation and improved breach success through precision targeting. If the IT industry doesn’t fight back by doing the same - automating security directly in the DevOps pipeline, then we’ll never be able to win.
The industry currently lacks meaningful open source controls. The most common way to introduce controls is through the application of open source governance policies across a software supply chain. But, when over 5500 IT professionals were asked if their organisation employed open source governance policies, just 63% responded positively. That percentage degraded further when participants were asked if they followed the policy. For those without a DevOps practice just 25% of said they both had an OSS governance policy and adhered to it. Effectively, 75% of those who don’t deploy a DevOps strategy, either ignore policies or don’t have one at all.
Further evidence of the lack of cybersecurity hygiene was revealed by 67% of survey participants who admitted to not having meaningful controls over what open source components are used in their applications.
Modern software supply chains can only operate safely when protected with automated security and quality assessments of these upstream open source components and containers.
This sentiment was echoed in Forrester’s Top Recommendations For Your Security Program (March 2018) where analysts advised, "Automate faster than evil does. If you thought your security team struggled with alert volume — and alert fatigue — then you Manual methods to detect, investigate, and respond to threats will guarantee
failure in the near future."
Key takeaways:
- Real-world examples of how large and small companies are implementing DevSecOps practices in their own delivery pipelines, and increasing developer awareness to risks
- Key insights from the 2019 DevSecOps community report - including the top investments for automated security
- A walkthrough of how security principles have been automated into a CICD pipeline and what standards for implementation are beginning to follow suite
- Why DevSecOps is more than a buzzword, and why it’s vital to protecting your software supply chain
- How automating security of policies makes it harder to ignore
