The Benefits and Challenges of Implementing DevSecOps

Hey, everybody! You have highly assessed my previous article How to Turn A DevOps Pipeline Into a DevSecOps Pipeline: A Shift Left Concept Overview. So, today, I will continue to discuss the DevSecOps topic for you.

In this article, I will discuss technological challenges, review the most relevant safe development practices today regarding current industry demands, and share my view on industry trends and development vectors in the current realities.

Application Security Practice Transformation Pathway

Application Security is now mainstream. New information security challenges (e.g., increasing attacks on APIs and software supply chains) require more innovative and effective solutions. The continuous development of the market and its current demands lead to the emergence of new technologies and changes in the tool stack. To assess the overall picture, let's look at the Gartner Hype Cycle for Application Security 2023 report, which reflects current trends and the current level of development of existing information security tools.

The structure of the cycle shown in the graph consists of 5 phases:

• Innovation Trigger. It includes technologies just starting their journey in the information security space.
• Peak of Inflated Expectations. Technologies in this phase have some success stories but also failures. Companies are trying to adapt practices to their needs, but widespread adoption is still a long way off.
• Trough of Disillusionment. Interest in technologies in this phase is already waning as adoption is only sometimes successful.
• Slope of Enlightenment. At this stage, technologies have many precedents where they can be helpful to companies. New generations of tools are emerging, and demand for them is increasing.
• Plateau of Productivity. At this stage, technologies have clearly defined tasks and application areas and are on the vector of becoming mainstream.

Let's look at DevSecOps and today's most relevant and exciting secure development practices in terms of their impact on business, technology, and geopolitical challenges.

DevSecOps in current realities

According to Gartner, DevSecOps is a mature mainstream.

As defined by Gartner, DevSecOps is now in the "Plateau of Productivity" phase. The technology has already become a mature mainstream, reaching more than 50% of the target audience. The methodology enables security teams to keep pace with development and operations departments as they build modern applications.

The model provides deep integration of information security tools into DevOps and automation of all processes regarding the creation of secure software. As a result, DevSecOps helps businesses improve product security and compliance of applications and processes with industry and regulatory standards. It also reduces the cost of vulnerability remediation, improves Time-to-Market, and builds developer expertise.

To build an effective, secure development process, companies face several challenges:

• When AppSec practices are implemented incorrectly and the process is not aligned correctly, security becomes the antithesis of DevOps. Developers begin to see information security tools as tools that slow them down.
• The variety of tools used in today's CI/CD pipelines makes seamless DevSecOps integration difficult.
• Many developers lack security competencies, so they don't understand how dangerous their code can be. They don't want to leave the CI/CD pipelines to perform information security tests or view scanning results. They experience great difficulties when they encounter false positives of SAST and DAST tools.
• Open-source security solutions may contain malicious code.

If you are new to the DevSecOps concept, read my previous article How to Turn A DevOps Pipeline Into a DevSecOps Pipeline: A Shift Left Concept Overview.

DevSecOps practices in the context of today's challenges

Now, I will discuss the most interesting part of this article.

SCA (Software Composition Analysis)

According to Gartner, SCA (Software Composition Analysis) is a mature mainstream.

Businesses should consider SCA tools as fundamental solutions for monitoring open-source products (OSS) and third-party artifacts and identifying their vulnerabilities. This will help identify software supply chain risks, ensure the integrity of Open Source components, and analyze their licensing purity.

Challenges affecting the development and diffusion of such solutions include the following:

• Many open-source packages, interdependencies, and programming languages create a complex structure. To cope with this, companies have to combine multiple solutions, implementing security analysis more difficult and costly.
• SCA tools rely on public vulnerability databases to identify malicious code and often bypass commercial software libraries, which can also be useful in finding dangerous breaches.
• In 2023, Open Source libraries have become popular targets for attacks against some companies. Attackers use malware and protestware that different solutions cannot detect. Many companies freeze using new libraries and Open Source components, which may lead to lagging in technological development.

Great, move on.

MAST (Mobile Application Security Testing)

According to Gartner, MAST (Mobile Application Security Testing) is early mainstream, reaching a < 2-5 years plateau.

In terms of business impact, fully implemented MAST practices will be an effective solution to save engineering resources in the face of a total talent shortage in mobile development.

MAST uses the same methods as web application testing (SAST, DAST, IAST). However, when applying them to mobile applications, the analysis must be adapted to identify vulnerabilities in the client application code. The practice of MAST has not yet reached full maturity as mobile platforms are still evolving. Another challenge is that organizations must perform mobile application security analysis as part of less advanced cybersecurity programs.

The central localized aspect affecting the overall level of security is the need for more explicit information security guidelines, built-in security checks, and insufficient attention to mobile app security in general.

Container Security

According to Gartner, Container Security is an emerging technology, reaching a plateau of < 2-5 years.

Like any other software component, containers can contain vulnerabilities and configuration issues. Developers will likely introduce vulnerabilities into the development and production environments without proper testing, resulting in serious risks. Today, information security teams are slow to adopt Container Security practices and secure container development tools, so companies must be aware of potential issues and sometimes unprepared to respond to attacks.

When it comes to technology challenges, DevOps experts distinguish 2 polar approaches. Many vendors and development companies treat the container security issue as a risk that occurs in runtime. On the contrary, the second category limits itself to looking for vulnerabilities only in images. It needs to provide more context to understand whether the code is actually used in production or accessed externally. Several other aspects can also be emphasized:

• Application security is blended with infrastructure security, forcing companies to utilize multiple solutions from different vendors.
• All vendors do not support container orchestration platforms other than Kubernetes. This makes alternative environments vulnerable.

Great, move on.

ASOC (Application Security Orchestration & Correlation)

According to Gartner, ASOC (Application Security Orchestration & Correlation) is an emerging technology, reaching a plateau of < 2-5 years.

Today, ASOC technology is the only option to seamlessly integrate information security tools into the DevOps processes of an engineering organization and implement a full-fledged DevSecOps. Such solutions also provide significant advantages in understanding the overall security status of all products under development, help to increase efficiency in prioritizing resources to address the most critical vulnerabilities, and allow coordinating security analysis across multiple development projects.

However, several complexities negatively affect the adaptation of the technology:

• Customers need to be sufficiently aware of the existence of such tools. Many organizations remain focused on a patchwork of automation that scales poorly against the capabilities of ASOC-class solutions.
• Vendors emphasize integration with either development stack scanners or exploitation stack tools. A lack of integration capabilities sometimes makes it impossible to form a holistic picture of an application's security.

Great, move on.

API Security Testing

According to Gartner, API Security Testing is an emerging technology, reaching a plateau of < 2-5 years.

Because program interfaces are spreading too fast, it is difficult to manage them, and with traditional security analysis methods, it is impossible to effectively perform API checks. Because of this, APIs are in the trend of problem areas, and attacks that exploit vulnerabilities in program interfaces have recently become much more frequent. Specialized tools, namely API Security Testing tools, allow you to create a basis for implementing an interface security strategy: identify APIs and search for their vulnerabilities.

The limited capabilities of such tools are the main drawback preventing the spread of API ST. The widespread use of software interfaces creates new problems and types of attacks. Existing analysis tools still need to be capable of fully reflecting all risks. Vendors need to modernize the testing approaches used in API ST tools.

Securing Development Environments

According to Gartner, Securing Development Environments is maturing technology, reaching a < 2-5 years plateau.

Development environments are one of the critical attack vectors today because they contain a lot of sensitive information. The most common risks arise from the proliferation of remote work formats and the widespread use of open-source components. Securing Development Environment approaches will help businesses mitigate risks and improve compliance with regulatory requirements and information security standards.

Barriers to technology development include:

• Remotely connecting to CI/CD pipelines, version control systems, and artifact registries using unsecured devices and applications. They create "blind" spots for information security experts and can cause dangerous incidents.
• Limiting the ability for developers to plug additional tools and applications into the environment. DevOps experts may try to circumvent new rules introduced for security purposes, so a flexible strategy is needed here.
• Difficulty in recognizing attacks committed using tools such as CI/CD pipelines and code repositories. Security practitioners may miss problems due to unfamiliarity with the mechanisms, and developers may miss issues due to low awareness of information security threats.

Great, move on.

Chaos Engineering

According to Gartner, CE (Chaos Engineering) is an emerging technology, reaching a plateau < 5-10 years.

CE (Chaos Engineering) technology provides an approach to process testing that creates an unstable environment, causing sudden failures. Chaos Engineering approaches can be used to plan, execute, and analyze "chaos attacks" on a system throughout its life cycle. The practice is useful in helping to improve the quality of processes, increase their resilience, and reduce failure rates and failure recovery times.

One of the main obstacles preventing the practice from developing is how companies perceive it. Many organizations see the technology as risky, as it should be implemented in a production environment, and there will be no opportunity to control the nature of the “explosion”. The organizational culture of companies also influences the development of the practice. Unfortunately, many players today perceive testing and ensuring the system's reliability as additional costs, so they prioritize developing its functionality.

SBOM (Software Bill of Materials)

According to Gartner, SBOM is an emerging technology, reaching a plateau < 5-10 years.

SBOM is a set of structured, machine-readable metadata that describes the composition of software components (open source libraries, fragments of third-party components, proprietary code elements) and documents their relationships in the supply chain. SBOM allows you to inventory software product composition, identify vulnerabilities, and determine the list of licenses for third-party components and open-source libraries for regular review to mitigate legal risks. This together gives businesses a transparent view of dependencies, helps track their status across the entire software supply chain, and enables effective collaboration with companies to find and remediate vulnerabilities.

Among the complexities preventing the widespread adoption of SBOM is the existence of requirements without which the approach could be more effective. Its usefulness depends mainly on how much and how well the company has implemented tools for processing, analyzing, and using SBOM data. In particular, automating the search for software components plays a significant role. Other challenges include the need to keep the SBOM up-to-date. Today's applications are updated at a high rate, so with each change, a new version of the SBOM specification must be created.

Policy-as-Code

According to Gartner, Policy-as-Code is maturing technology, reaching a < 2-5 years plateau.

PaC (Policy-as-Code) technology assumes an approach in which policies (corporate rules, architectural standards, instructions, requirements, etc.) are controlled, used, and updated by code in an automated mode. PaC tools allow companies to increase the speed of task fulfillment, reduce the risks of errors due to human factors, improve interaction between employees of one team or different departments, and increase the accuracy of completing all policy conditions.

It should be noted that there are several severe difficulties on the way to technology development. The first is the need for downloadable content (policies written in programming languages) in tools that support PaC. Companies should have a publicly available repository to download guidelines instead of creating their code. The second obstacle is needing more expertise and skills to work with automation tools and PaC.

Conclusion

Today, we are seeing a dramatic increase in the importance of security in the context of application development, leading to a rise in the popularity of DevSecOps and deeper penetration of secure development approaches into companies' processes. Overall, the technology pool of AppSec practices is showing high sensitivity to current cybersecurity trends and is transforming as a result.

For the industry, the following can be highlighted as crucial development vectors and solutions to overdue challenges:

• Open-source information security products do not have the necessary level of reliability and cyber resilience, so our apparent reality today is a complete shift to a zero-trust concept.
• Not all DevSecOps solutions can cover the Enterprise needs of "big" customers. Among the apparent growth areas are SBOM, API Security Testing, Software Supply Chain Security, Infrastructure as Code Security, Container Security, and DAST.
• As part of the technology challenge and the need for import substitution, companies need to migrate to a new DevOps stack and select and operate robust tools.
• Given the growing regulatory requirements (GOST R, FSTEC recommendations, TC 122, OUD), companies also need to "coordinate positions" against open international standards and frameworks (BSIMM, OpenSAMM).
• Compliance with all information security standards and requirements manually consumes a lot of resources. Over time, there will be even more "regulation" to deal with, so an effective strategic solution is to move to a Policy-as-a-Code format.
• Since there is a total shortage of personnel in the industry today, the only optimal way out of this situation is to expand employees' competencies through modern approaches to learning.

That's all. Thank you for your attention.