The way in which applications are developed today is changing dramatically with the spread of cloud technologies. Microservices, which are made available as Docker services, for example, and can be combined with each other, are putting the infrastructure world under severe pressure. “Network is code”, “Infrastructure is code”, “Everything is code”. The days of pure virtualization environments and principles such as “one server per application” will soon be numbered.
Brave new world
The language of application development today is DevOps. The close integration of development and operation can now be implemented using modern deployment methods and tools. In the cloud, it is possible to manage without complex testing, integration and production environments. From development directly into production is the motto. Beta testers are innovative users directly from the community. The new software distribution mechanisms at application and microservice level and the option of allowing fine-grained network traffic to parts of applications in the cloud via load balancing, for example to direct just a few test users to a new build, make this possible.
But where is IT security in this process?
There are basically three options for integrating IT security into the new development options:
- SecDevOps: IT security is already taken into account in the planning and development phase (security by design)
- DevSecOps: IT security is analyzed and ensured after development, during the deployment phase
- DevOpsSec: IT security is handled downstream, e.g. by means of a security architecture or infrastructure through to a purely reactive strategy in the sense of a response or security incident management process.
What is the best option?
There is no clear answer to the question of the best option. First of all, it should be noted that these options are not ready-made concepts. It is primarily a matter of finding a balance of principles in the development of applications instead of setting fixed rules. This is the only way to ensure the necessary agility in software development.
And then the “risk appetite” of a company ultimately determines what the development principles are in detail.
For example: In a start-up, the aim is to gain market share as quickly as possible at the lowest possible cost and gain a foothold in the market. In such a situation, it can make sense to initially put the security aside and work on it later. It is important to bear in mind that as interest in a product grows, so does the interest of players with negative intentions and thus the risk of an incident.
Risks induce safety measures and not vice versa
A risk-based approach takes into account the economic efficiency of development. In terms of DevOps, this means that an ongoing risk analysis is necessary. The discussion about SecDevOps, DevSecOps or DevOpsSec alone is already inducing an absurdity in the way security measures are handled in practice today: A large number of security controls and measures are to be implemented on the basis of extensive IT security regulations, which often bear no relation to the existing risk. No wonder IT security in an agile DevOps environment is immediately labeled as an impediment. Let’s be very clear about this: The measures for secure development are dictated by the risk analysis. A reversal would mean that the measures themselves become a risk and this is not a benefit for anyone.
Our recommendation: RiskDevSecOps
Cloud, microservices, microsegmentation and new deployment methods in the development of applications suggest that an ongoing risk assessment is necessary. We therefore advocate the following approach: risk analysis before SecDevSecOpsSec, i.e. RiskDevSecOps.
Take the step towards DevOps in a structured way without losing agility and let us support you. In our experience, risks are often consciously or unconsciously overestimated or even underestimated internally. United Security Providers is happy to support you in your risk assessment with an external perspective. With a digital risk assessment, you can quickly find out what the risks are in the development of your business-relevant applications.
Digital Risk Assessment
A digital risk assessment helps to create clarity. We are convinced that a top-down approach makes the most sense and is the most targeted approach when preparing such a risk analysis. In a top-down approach, the focus is first on your business environment, business objectives and business processes. Which market are you active in? What do you want to achieve with an application? What are the really critical processes that are supported by an application? How much risk are you effectively prepared to take in this environment?
On this basis, tangible risks can be identified and quantified with the help of scenarios. From this, we derive suitable measures together with your development department.