Story image

SolarWinds: Looking beyond DevOps to fix cybersecurity

08 May 2019

Article by SolarWinds security content architect Destiny Bertucci

Recent data breaches in Singapore signify weak spots in cybersecurity and data protection efforts, despite its large spending on cybersecurity.

A report by consulting firm AT Kearney in 2018 found that Singapore spent about 0.22% of its gross domestic product on cybersecurity, almost twice the global average.

Despite this, Singapore still remains susceptible to evolving cyber threats.

Last year, hackers stole the data of 1.5 million Singhealth patients, including those of the Prime Minister, in what was the city’s worst cyber-attack.

In light of this, the Government is stepping up measures to combat security breaches, and are looking to further increase spending on defense, security and diplomacy in 2019, according to the recent Budget statement by Finance Minister Heng Swee Keat.

The Singapore cyber security agency David Koh CEO acknowledged that the government itself cannot deal with the nation’s needs for cybersecurity.

He mentions that cybersecurity is a team sport, where organisations need to complement the government’s efforts and take proactive measures to protect their systems.

Such collaborative measures are necessary for an increasing number of organisations and startups who are incorporating the DevOps methodology into their business.

Focused on the integration of coding, testing and automation teams, the role of DevOps in security has seen increasing popularity due to its sound philosophy around productivity and adaptability.

With talk of DevOps rife among IT professionals, it is important to look at the advantages of DevOps as well as opportunities for where it could be improved.

Ultimately, while DevOps increases speed and efficiency by blending agile methodologies for development and automation for IT operations, is it not the be all and end all to addressing cybersecurity issues within an organisation.

DevOps still has its limitations

DevOps has the potential to improve security by discovering security flaws early in the development process.

This would allow IT teams to implement security features alongside a host of security algorithms and protocols, prior to the setup system infrastructure, which should lead to fewer security issues down the road.

Furthermore, it can deal with the aftermath of an attack through incorporation of self-healing characteristics into a system.

DevOps can also bring greater agility of design as well as greater buy-in and collaboration across varied skill sets that would otherwise compete with each other.

However, against a backdrop of constantly evolving cyber threats, DevOps is not enough in mitigating, addressing and combating such security issues.

While its methodology would allow for faster responses and adaptability, a cohesive, coordinated response to security threats should take precedence.

This is especially so as DevOps teams do not have the technical depth of specialised cybersecurity professionals.

While it can be argued that security professionals can be brought into DevOps processes to help developers navigate security issues they may face over time, these operations are still disparate.

One way to further boost security processes is through DevSecOps, a process of integrating and streamlining security practices much earlier within the DevOps process.

In this instance, the traditional process of working in silos will be replaced by increased communication and shared responsibility for security processes throughout the various phases of application and software development.

However, this may jeopardize informational security as well across the organisational surface.

A more holistic approach

Another approach that bears more efficacy is by establishing a central team responsible for incorporating measures into the development process from start to end.

Alongside DevOps infrastructure and applications, this team can monitor, manage, troubleshoot and optimize instruments from its infrastructure to the end-user experience.

A team of experts will also allow for a diversified skill set that would offer more comprehensive support to handle evolving threats.

Cybersecurity teams should also interact with DevOps in a way that establishes its authority in enforcing good governance and sanitisation, as well as the capacity of assurance in vetting and reviewing DevOps code, data, and workflows to ensure they meet enterprise-wide security protocols.

When cybersecurity skills and measures are employed, it is important that they are not diluted alongside other DevOps functions, so it is able to achieve its intended purpose with as much backing as possible. The cybersecurity function should also continue to operate with autonomy when maintaining the products of the DevOps cycle.

Most organisations are already adopting this model — maintaining centralised cybersecurity functions within the business whilst adopting a different mindset in its deployment.

In this regard, organisational projects and processes should be run by the expertise of cybersecurity teams, even prior to execution, therefore avoiding the need to undo or rework certain areas.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.