Jun 14 · 4 min read
The relevance of DevSecOps has grown in the past years as companies solidify their move towards automating their software delivery lifecycle, and especially recently in light of several major attacks specifically targeting security gaps within the development process.
Argon Security’s CTO Eylam Milner recently joined a thought-leadership panel to discuss; what is DevSecOps current and future state alongside Aaron Stanley, Director and Global Head of Cybersecurity at Twilio, and Amir Jerbi, Co-Founder and CTO of Aqua Security.
The session started with Eylam (Argon) sharing the main findings from the global survey recently conducted by Argon and its implications. The survey revealed that 90% of companies are using CI/CD pipelines tools to develop and deliver software, but that almost all of the security leaders interviewed do not feel confident in the security of these environments. According to these leaders there are several challenges behind their lack of confidence, but the main reason is the lack of collaboration between the security and DevOps team. Other challenges mentioned were the vast use of open-source software, the amount of CI/CD tools, the complexity of the development environments, and the lack of adequate security tools to answer those challenges.
We also heard the perspective from the run-time side; Amir (Aqua Security) discussed how developers have more responsibility and power now than ever before. While programming remains at the core of their role, now they are also responsible for testing, scalability, and performance. At the same time, speed and agility is expected of them; while in the past companies used to run a few software rollouts per year, now they’re running a few per minute. This is the main reason behind the push to automate devops processes and use of open-source tools and packages; and although these changes allow teams to develop software faster, they significantly increase the exposure of the company to vulnerabilities and possible backdoors.
Aaron (Twilio) gave us his input on some of his main concerns as someone who prioritizes security needs at a multinational software company. First, source code is not isolated within source control management systems only, so it’s necessary to be able to trace the code, understand who has access to it, and what they can do with that access. Second, the recent cyberattacks have shown us that code tampering and malicious injections are becoming more common and are not easy to detect. Aaron raised his main concern as a question, “Will I know if it happens to me? Do we have the data, logging, and forensics to answer that question?”. In the discussion Eylam touched on this risk as well, by mentioning that the recent CI/CD pipelines breaches affected not only the company breached but also the company’s customers, which is raising the stakes of not applying strong pipeline protection.
We also discussed the concept of DevSecOps, and what is best way to implement it. Aaron’s perspective was that, more than anything, DevSecOps is a philosophy. He elaborated that the core of DevSecOps is not the implementation of automation and security tools, but the binding logic and cooperation between development, security, and operations specialists. Focusing on this collaboration will create the position that will set up the processes and tools, and orchestrate the security activities and people.
The session concluded with the panelists sharing their main advice to other Security and DevOps leaders moving forward:
In summary, the world of software development has gone (and will continue to undergo) through significant changes; developers have more responsibility and power than ever before, and they rely on automated processes, tools, and packages to meet the speed and agility standards that are expected of them. At the same time, this has opened up a new attack vector that companies need to prioritize; development environments and specifically CI/CD pipelines are attackers’ newest entry point of choice. This is mainly because companies lack visibility and control over their pipeline’s infrastructure, process, and source code.
Argon’s solution connects to development environments and tools, and protects the entire CI/CD pipeline from code manipulation, misconfigurations, code leaks, and vulnerabilities. It enables smooth AppSec orchestration by providing unified visibility, security, and integrity throughout the build, test, and deployment stages. Argon secures the entire software delivery pipeline, from commit to release, effectively sealing gaps and preventing supply-chain attacks like SolarWinds and Codecov.
DevOps, DevSecOps, CICD security, DevOps Security, AppSec, SolarWinds, CodeCov
What is GitLab GitLab is a free open-source service designed to manage and share code in a distributed version control…
The SolarWinds Attack Was the Industry’s Wakeup Call The new wave of software supply chain attacks that targeted SolarWinds, Codecov,…
Hardly a week goes by these days without hearing about a new supply chain attack. A recent headline featured yet…