DevSecOps offers great potentials, but it is also a challenge in practice for many CISOs and DevOps teams. Today, companies typically leverage several automated tools. However, they are to a large extent separate silos that identify separate lists — most often long lists — of risks and vulnerabilities. This creates complexities, inefficiencies, costs, and risks, and do often slows down DevOps organizations. A key capability has been missing in the toolset. A capability that empowers both DevOps Teams and CISO by continuously: there are plenty of different risks. But what is the holistic risk exposure of my high-value assets? Are we good, or do we need to take action? Contextualizing Risks; there are plenty of ways that we can reduce risks. But what possible actions shall I prioritize? What shall I not prioritize? It is simply not feasible to do everything everywhere. Pin-Pointing Actions; we should do these analyses continuously but it is simply not possible to do it manually. It would be great to integrate automated holistic analyses in our CI/CD. Conducting Automated Attack Simulations; This article includes: DevSecOps Challenges in Practice Current State of DevSecOps Workflows and Tooling The Missing Piece Needed How Leading CISOs and DevOps Teams are Leveraging New Capabilities 1. DevSecOps Challenges in Practice DevSecOps is a major evolution of the cybersecurity practice. So, before going into practical details, let’s take a starting point from the overall business perspective. In the overall requirements, challenges, and opportunities that DevOps and DevSecOps bring to organizations, CISOs, and DevOps teams in practice. An organization — DevOpsCo — has a DevOps way of working. It could have two, ten, fifty, or even hundreds of DevOps teams. Each team is Developing and Operating their part of the overall company system environment. It is not uncommon that one team push several releases per day. And each release naturally has an impact on the security posture of the environment. And not only on the team’s environment but also on other teams’ environments and the total infrastructure. Let us explore a typical illustrative example: This small illustration does in itself illustrate both how important it is to embed security into the DevOps workflows to make DevSecOps practically viable and the magnitude of the challenge. But this dynamic is just one part of the challenge. A longer list of key challenges includes the following: , and each release impact both their own team’s, other teams’, and the total organization’s cybersecurity risk posture. * Multiple DevOps teams all make frequent releases * . Just one example of this is how easy it is to make mistakes in terms of setting up IAM policies. In both cloud environments and on-prem environments, it can very easily happen that IAM is set up in a way that grants too much/ wrong access that creates weak security postures and high business risks. It can very easily happen that teams make security mistakes * and put them into context to what needs to be addressed to continuously manage risk over time. In addition, there is the challenge to keep up to date with new vulnerabilities, security updates, etc, * Even if we think that it would be great if they were, this will never be the case. It is actually not even desirable as it would require too many security resources. DevOps teams are not the security experts. * that both empower the DevOps teams with automated actionable insights and provides the CISO function with a continuous overview, tracking, and management of the cybersecurity risk posture. CISO-function crucially needs mechanisms * Identifying long lists of risks and best practices is a good starting point. But we truly need to identify what risks are key, what actions have the best effect, and when is our security good enough. This prioritization needs to be done from a holistic perspective. And it is not practically viable to do it manually, it is just too complex and time-consuming. We all live in a world of scarce resources. 2. Current State of DevSecOps Workflows and Tooling “Sec” in DevSecOps is not a discrete step or phase, but an integrated part of the activities required to deliver software or service in a secure fashion, as illustrated in the typical DevSecOps loop. Today different activities and tools of the AppSec program will typically attach to different phases of the DevOps loop. Security training of developers, design reviews based on , design and code reviews as well as SAST tools like SonarQube for source code inspection are all part of the Plan and Code phases. In the Build and Packaging phases, you typically find security scanning of vulnerabilities in the supply chain dependencies through solutions from companies like Debricked or Snyk. threat modeling Moving into the Test phase, security testing is done and often automated by DAST tools, and from the Release phase and onwards a set of more traditional cyber operational tools are employed, including vulnerability scanners for the infrastructure, WAFs, and various types of log monitoring and correlation tools including SIEMs. Interestingly, a perfect secure development process will still not be a guarantee against breaches of the application after it has transitioned into a live, deployed state. The application context, such as e.g. the Identity and Access Management (IAM) configuration will often be different from a test environment and is bound to change over time. Time will also cause changes to interdependent services and will cause new vulnerabilities to be discovered, both inside the application as well as in the infrastructure on which the application depends. Time is clearly not on the defender’s side. Furthermore, continuous deployment into public Cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform creates an even more challenging situation as both the control plane (asset management operations) and data plane (the application and related service assets) are available over the Internet and often delegated directly to DevOps team. And, maybe most importantly, the different tools are to a large extent separate silos. Silos that identify separate lists — most often long lists — of risks and vulnerabilities. This creates complexities, inefficiencies, costs, and risks, and do often slows down DevOps organizations. 3. The Missing Piece Needed As described in the earlier sections; DevSecOps is a natural way forward for DevOps organizations. But it also imposes several quite significant challenges. To make DevSecOps practically viable, automated tooling has a key role. Today, companies typically leverage a number of automated tools for DevSecOps. However, they are to a large extent separate silos that identify separate lists, most often long lists, of risks and vulnerabilities. A key capability has been missing in the toolset. A tool that continuously: What is the holistic risk exposure of my high-value assets? Are we good, or do we need to take action? Contextualizes Risks. There are plenty of ways that we can reduce risks. But what of all possible actions shall I prioritize? And what shall I not prioritize? It is simply not feasible to do everything everywhere. Pin-Points Actions. We should do these analyses continuously but it is simply not possible to do it manually. It would be great to integrate automated holistic analyses in our CI/CD. Conducts Automated Attack Simulations. These capabilities empower DevOps teams to get continuous insights on key questions as “Are we secure enough?”, “What are the weakest links?”, and “What of all things possible should we do to improve our security posture?”. It enables the CISO function to get an overview and tracking of the security risk posture and get pin-pointed insights when and where needed. 4. How Leading CISOs and DevOps Teams are Leveraging New Capabilities So how can we address the challenges and get the capabilities needed? Historically, the answer has most often been to implement more generic guidelines on patching, authentication, etc — which means that you will typically overspend in lower-risk areas and underspend in high-risk areas — and/or to try to conduct these analyses manually — which then often turns into not doing them at all or doing them at a too high level only. Now, new technology enables organizations to get these central capabilities needed through automated tooling. By leveraging AI-based, automated attack simulations, organizations are able to cut through complexity, gain key insights, and take proactive actions where it really matters. One leading company that is leveraging fully automated attack simulations is Klarna. Klarna is a payments company that is one of Europes’ largest banks and one of the world’s highest-valued and fastest-growing fintech. to continuously manage its security risk posture in highly dynamic cloud environments. Klarna leverages automated attack simulations The concepts that Klarna leverages consist of three steps. In the first step, the tool generates digital twin models of the systems in scope. The second step is to simulate thousands of attacks towards the digital twins, capturing all possible ways attackers can potentially reach your high-value assets. The third step is to provide the user with key insights from the simulations; risk levels, key risks, and effective risk mitigation actions. By leveraging automated attack simulations: get automated and continuous insights on the cybersecurity risk posture of their environment. When the risk exposure is too high/ posture is too weak, they get automated insights on what are the weak spots in the architecture and suggested mitigation actions. The analyses can be fully integrated into the CI/CD pipelines. * DevOps Teams * gets automated and continuous insights on the posture of the total environment. How does my overall risk posture improve over time? How do the different teams perform? How do the different teams’ environments interact, when/how does one team create risk for another team and provide those insights automated to the teams? CISO Function * securiCAD provides fully automated in-depth analyses. It can easily be integrated in the CI/CD pipelines. And it is not interfering with your live environment as all the simulations are conducted on digital twins of your environments. Automated and Continuous, throughout the DevOps Cycle. While simulation is probably one of the few ways to risk assess a large-scale environment in continuous change, the key is to build the model continuously based on the real environment. Automation is an important leap to moving away from human subjective assessment and the rigidity of formal strict security frameworks, and to keeping consistent security. Through automated simulations, companies can take on the challenge of looking at the whole while having clear control of all the details and moving pieces. The simulation capability increases both the capability to see how changes in one team’s environment can affect others and to make assessments more consistent. In the end, it increases security where it really counts.