There’s little disagreement that security should be baked into every step of the DevOps lifecycle. In fact, there’s even a name for it: DevSecOps. So, why isn’t its adoption more widespread? Well, as things turn out, there are quite a few challenges to DevOps security.
The Challenges to DevOps Security
Here are just a few of the challenges to DevOps security:
Focus on speed
The driving force behind DevOps is the need for speed. As you can imagine though, speed and security don’t mix too well. From BeyondTrust, “DevOps pushes and modifies batches of code over very short time frames (hours or days), which may far outpace the speed at which security teams can keep up with code review.”
It’s hard enough to find DevOps expertise. Try finding DevOps and security expertise in a single developer. From Software Secured, “Talent acquisition becomes a really tough problem in this new environment. [I]n some organizations, I’m seeing companies hiring developers and teaching them security because they find that easier than to take traditional security people with experience and to try to pull them over into this new world of new IT.”
Implementing security in CI/CD
Security used to be “bolted on” at the end. That doesn’t work with a CI/CD pipeline. Security must be a part of the pipeline. From CCSI, “Integrating security into the pipeline can be challenging. Security risks can arise during the integration stage until the DevOps model is fully implemented and running.”
In addition to the above-mentioned challenges, there is also cultural resistance to security, poor privilege access execution, inadequate controls, and collaboration challenges.
DevSecOps Best Practices
How do we address common challenges? With best practices. Here is a list provided by Fortinet for DevSecOps:
- Embrace a DevSecOps model
- Enforce policy & governance
- Automate DevOps process and tools
- Perform comprehensive discovery
- Conduct vulnerability management
- Adopt configuration management
- Use DevOps secrets management
- Incorporate privileged access management
- Segment networks
These best practices bring a certain discipline to DevSecOps. Still, it’s a long list. It would be nice if there were some way to address some or all of them at once without having to implement them one at a time. And that is the role that threat modeling plays in the DevSecOps process.
Threat Modeling: The Discipline of DevSecOps
Threat modeling is the discipline that turns DevOps into DevSecOps by incorporating several best practices into one. It is a process designed to address many DevSecOps best practices.
Enforcing policy and governance is one example. The threat modeling process doesn’t just model threats to security. It also models threats to policy and governance violations. By definition, threat modeling conducts vulnerability management. And the most modern threat modeling tools perform comprehensive discovery automatically.
Almost all of the items in the list above can be incorporated into a comprehensive threat modeling process. And with the best solutions out there, it does so without developers having to be security experts. That alone addresses one of the big challenges in DevSecOps today.
If you’d like to see how a modern threat modeling platform can help your company implement those DevSecOps best practices, without the need for in-house expertise, contact ThreatModeler for a free live demo.