DevOps is a natural byproduct of the shift to agile software development and the move to the cloud. One of the main benefits of DevOps is the speed of software iteration, based on user stories and development sprints.
The drawback to all this speedy development, however, is that it’s hard for security to keep up. This explains, at least in part, why so many applications have vulnerabilities. According to Synopsys’ Software Vulnerability Snapshot, 95% of applications have some sort of vulnerability.
The key to getting security to keep up with DevOps is to embed security right into the DevOps process. Combining these two produces a new process call DevSecOps. What’s needed to turn DevOps into DevSecOps?
Enterprise Security Group (ESG) by TechTarget authored a whitepaper which addresses that very subject titled DevSecOps Should Include Continuous Threat Modeling. In it, they explore the ongoing challenges with DevOps and why continuous threat modeling is the ideal starting point for turning DevOps into DevSecOps.
The State of DevOps
According to an ESG survey, DevOps, without an embedded security process, produces some uncomfortable results. For instance, 45% of software releases didn’t go through any security checks or testing, while 35% of new builds are deployed to production with misconfigurations, vulnerabilities or other security issues.
One reason (34%) for these dismal results? Security can’t keep up with the cadence of software releases. To improve these results, something must change, and one impactful change is incorporating continuous threat modeling into the DevOps flow.
DevSecOps Should Include Continuous Threat Modeling
In the past, depending almost entirely on industry experts and manual analysis, threat modeling was limited to only the most high-value applications. To make matters worse, threat modeling was typically done only once, at the beginning of development, and never revised afterwards. In the fast-changing world of agile DevOps, that’s almost pointless.
It’s clear that for DevSecOps to be effective, the security portion must be automated, not expert dependent and responsive enough to keep up with the pace of change in DevOps. There may be more than one way to accomplish this. But, since the very best threat modeling tools today are automated and don’t require years of threat modeling expertise, one way we know for sure is to make continuous threat modeling part of DevSecOps.
By using continuous threat modeling, security keeps up with the pace of development as well as the pace of change in infrastructure in the cloud. Threats are identified in near real-time, and mitigations proposed almost as fast.
In the whitepaper, ESG comes out in strong support for incorporating continuous threat modeling into the DevOps process. The whitepaper also points out three additional benefits of using continuous threat modeling in development, which makes using it even more compelling.
If you’d like to download a free copy of the whitepaper, visit this webpage here. And if you’d like to learn more about one of the best automated, continuous threat modeling platforms available, head on over to ThreatModeler. We’re happy to answer your questions.