Productivity meets Cyber Security: DevSecOps, the new Business Booster

For companies that have already firmly integrated DevSecOps, it is clear that a security vulnerability in a newly developed app can be fixed in minutes or a few hours. This is because security is now an integral part of the entire software development process - the core of the entire development process, so to speak - and no longer just an afterthought.

Switzerland is characterized by DevOps, but where is the security?

According to the latest report by VSHN and Zühlke, a third of the companies surveyed that use DevOps for software development and deployment are already using artificial intelligence (AI) to automate repetitive tasks or to optimize code quality. As enthusiastically as the tech scene has embraced DevOps practices, one critical aspect is often overlooked: Cybersecurity often falls by the wayside.

DevOps practices are deeply rooted in the Swiss corporate landscape: almost 88% of the companies surveyed already use them - an impressive figure that illustrates the triumph of this way of working. According to the authors of the study, IT companies currently account for 45 percent. Other sectors have expanded their market share: 20 percent of DevOps companies are active in consulting, 16 percent in banking and finance. DevOps is also becoming increasingly popular in the public sector.

Security by design: the DevSecOps paradigm

What does DevSecOps mean? The National Institute of Standards and Technology (NIST) definition states that by integrating security practices and automatically creating security and compliance artifacts across processes and environments, DevSecOps helps ensure that security is considered as part of all DevOps practices.

The US Department of Defense provides an even more detailed definition: DevSecOps is a conglomerate of software engineering techniques, procedures and tools that integrate software development (Dev), security (Sec) and operations (Ops).

What DevSecOps means:

• Shift-left security: security testing during the development phase
• Inclusion of automated security checks in CI/CD pipelines (continuous integration and continuous delivery/deployment)
• Continuous compliance: code-based checking against regulatory requirements
• Shared responsibility: Each team member is responsible for maintaining security
• Zero Trust Architecture: Zero Trust must be the target security model for cybersecurity in DevSecOps software factories and platforms.

The challenge of the software supply chain

The success of DevSecOps requires an understanding of the entire software supply chain. This includes all components - from hardware, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) to tools and processes that together enable specific software functions. Each of these stations forms links in a complex software supply chain that represents a logistical route.

AI as a revolution in DevSecOps

Artificial intelligence is fundamentally changing the rules of the game. In Swiss DevOps teams, it is most frequently used to automate repetitive tasks (22%), prevent incidents and optimize code quality (around 19% each).

AI opens up completely new possibilities for DevSecOps:

1. Meaningful identification of vulnerabilities
   AI systems are not only able to identify security vulnerabilities, but also to assess their severity and offer possible solutions. Real-time code reviews can thus greatly support the hours-long process.
2. Detecting anomalies in production environments
   Machine learning algorithms capture the "normal" behavior of an application and immediately raise the alarm in the event of suspicious activity, often before human users even notice that something is wrong.
3. Automated vulnerability remediation
   AI is used by 28% of teams for code review and analysis. AI that not only detects problems but also fixes them automatically is the next stage of development.
   

CI/CD pipeline security: the heart of DevSecOps

Malicious cyber actors view software supply chains and CI/CD environments as attractive targets, according to NSA and CISA guidance. The threats are numerous and complex:

Typical risks to CI/CD security include:

• Insecure code: Integrating third-party code and failing to scan source code components can introduce vulnerabilities into a CI/CD pipeline.
• Poisoned pipeline execution: Attackers use this technique to contaminate the CI pipeline. With this method, attackers can manipulate the build process by abusing permissions in source code management repositories.
• Disclosure of secrets: To gain access to a variety of sensitive resources, including databases and code bases, cloud-native CI/CD tools use a number of secrets to the respective peripheral systems, which must be specially protected.

Important security measures for CI/CD pipelines:

• Zero Trust in CI/CD: This technique helps to identify and prevent successful compromises of the environment by ensuring that no user, endpoint or process is fully trusted.
• Static code analysis: Integrate appropriate analysis tools early in the build process to continuously check your code for common security vulnerabilities and compliance issues.
• Implement SBOM: By helping to track all open source and third-party components within the codebase, SBOM and SCA can be beneficial to both DevSecOps and the software development lifecycle (SDLC).

The challenge: innovation and compliance

DevSecOps is a necessity rather than a luxury, especially in Switzerland with its robust financial sector and strict data protection regulations. The challenge?

Finding a balance between the need for innovation and regulatory requirements.

According to the study cited, platform engineering teams are now present in 54 percent of Swiss companies. These groups are essential for the development of secure platforms that enable agility and compliance.

Platform engineering as an enabler for security

A collection of resources and capabilities that serve as a foundation for the development and operation of additional functions or services within the same technical framework is called a DevSecOps platform.

Platform engineering allows development teams to work independently in standardized, secure environments. This includes:

• Security safeguards: Automatically enforced, predefined security policies.
• Compliance as code: The platform integrates regulatory requirements.
• Self-service security: Developers can use security tools independently.

Continuous Authorization (cATO) is achieved when a company can prove that it creates, protects and operates a system. It must also be sufficiently mature to maintain a robust cyber security posture in the long term.

The Swiss method: from theory to practice

According to Prof. Dr. Sebastian Graf from the FHNW, "DevOps does not think in terms of projects, but in terms of products". The key to the success of DevSecOps therefore lies in this product orientation.

The methodical approach

A key element of Zero Trust is DevSecOps, which combines technology, processes and an appropriate mindset. The development and engineering teams must work closely together. An organized strategy and a clear vision are the foundations for success.

For DevSecOps to be fully implemented, DevSecOps fundamentals require security and functional capabilities to be developed, tested and tracked at every stage of the lifecycle to prevent security and functional issues from ever reaching production.

Secure DevSecOps environments in 3 stages

1. Use integrated platforms

• Code management, pipelines, planning and security analytics are included in platforms like GitLab, usually in higher/premium subscriptions.
• Cross-team collaboration is encouraged through an integrated process.
• Use consolidated solutions to prevent the proliferation of tools.
• Use thorough security scanners.

2. As specified by NIST SP 800-204D

• Code analysis with SAST (Static Application Security Testing)
• Use DAST (Dynamic Application Security Testing) for runtime testing.
• Software Composition Analysis (SCA) for dependency testing.
• Image security through container scanning.
• "Secret Scanning" to protect confidential logindata.

3. Use open standards

• Software Bill of Materials (SBOM) for CycloneDX: Transparency
• SPDX: Tracking of components and compliance with licenses
• Supply Chain Security Framework (SLSA)
• Every organization should be aware of these standards recommended by the OpenSSF (Open Source Security Foundation).

6 Threats to cloud security: the changing environment

According to recent studies by the Cloud Security Alliance, DevSecOps must address the following six critical threats:

• Insecure software development: due to the complexity of cloud computing, developers can inadvertently create insecure software with exploitable vulnerabilities.
• Inadequate change control and misconfigurations
• Weaknesses in identity and access management
• Insecure APIs and interfaces
• Limited observability/visibility of the cloud
• APTs (advanced persistent threats)

How secure is the DevSecOps future?

For DevSecOps, this means that while the tools and technologies are available, only careful implementation will lead to success. The introduction of DevSecOps is going particularly well in small and medium-sized companies. Larger companies, on the other hand, are struggling to grow.

The secret to long-term security lies in vendor independence. Reducing vendor dependency and ensuring the freedom of system components are also important aspects when it comes to a secure software supply chain.

Strengthen your DevOps pipeline with sustainable security. Request your DevSecOps security assessment now and minimize risks in a targeted manner.

Why is DevSecOps open source?

Due to the easier interchangeability of providers and components, open source solutions offer greater flexibility. The open source landscape is developing positively despite obstacles such as license changes or funding problems for certain projects.

Recommendations for Swiss companies

• Think about alternatives to established market leaders.
• Consider open infrastructure options.
• Take out corporate subscriptions to be able to use security services.
• Maintain the open source ecosystem in a sustainable way.

This approach improves visibility and control over your own security infrastructure while reducing vendor lock-in.

The business case for DevSecOps

DevSecOps is critical to minimizing vulnerabilities, malicious code and other security issues in software without delaying code development and releases, according to a NIST study.

Outlook: The path to DevSecOps maturity

The path to DevSecOps maturity includes several important phases:

1. First use

• Start with pilot projects.
• Look for short-term gains.
• Create a network and appoint dedicated security officers.

2. Integration and scaling

• Increase the number of teams.
• Integrate safety tools into every pipeline.
• Establish KPIs and security metrics.

3. Innovation and optimization

• Use ML and AI to improve security.
• Put predictive security analytics into practice.
• Achieve continuous authorization (cATO).

4. Change of strategy

• Security becomes a business enabler.
• Complete alignment with business goals.
• Leading position in the industry for secure development.

In summary, security can be a competitive advantage.

DevSecOps turns security from a barrier to an accelerator. Swiss companies cannot afford to treat security as a secondary process in times of increasing cyberattacks and stricter regulations.

The good news is that the Swiss tech community is on the right track. With the increasing use of AI, the adoption of DevSecOps practices and the creation of platform engineering teams, the foundations are in place.

The current challenge is to consider security as an essential part of product development and not as an add-on. Companies are creating a secure and sustainable development environment by using integrated platforms, introducing open standards such as CycloneDX and SLSA and carefully avoiding vendor lock-ins.

To reduce risk at every stage, DevSecOps leverages the combined experience and knowledge of the entire software supply chain, as the U.S. Department of Defense points out.

After all, in the digital economy, those who develop securely from the outset generally also speed up the entire development process. And the fastest developers win, especially when it comes to open standards and vendor independence.

Act now to protect your DevOps journey

The first step is to understand DevSecOps. The real difficulty lies in successful implementation. We will support you if you are ready to strengthen the security of your software development process and rely on professional advice.

Assessing your DevOps environment

With our thorough DevOps security assessment, you benefit from the following advantages:

Technical configuration security assessment

• A thorough analysis of your operating platform.
• Detection of vulnerabilities and faulty configurations.
• Recommendations for security hardening based on industry standards.

Analysis of process maturity

• Systematic assessment process that examines your DevSecOps procedures.
• Analysis of gaps in relation to industry standards.
• Clear roadmap for process optimization and improvement.

Review of secure software development

• Detailed assessment of your current development methods.
• Concrete suggestions for integrating security into the entire SDLC.
• Practical recommendations for the implementation of shift-left security.

The standards-based method

Our assessment process is based on:

• Orientation to CIS standards (Center for Internet Security).
• Guidelines of the Cybersecurity & Infrastructure Security Agency (CISA).
• Frameworks of the National Institute of Standards and Technology (NIST).

InfoGuard's internal proposals are based on many years of experience in the following areas:

• Security Operations and Cyber Defense
• Incident response
• Compliance and governance

Are you ready to protect your DevOps pipeline? Your digital development deserves protection from the start. Don't let a security incident expose your DevSecOps procedures. Proactively integrate cybersecurity into your development lifecycle now. Schedule your DevOps security assessment today.

Caption: Image generated with AI