DevSecOps Brings Payoffs through Security by Design
- DevSecOps has emerged as a key methodology to combat the insecurity of IoT devices, which merges development, IT operations, and security processes.
- As IoT breaches become more prevalent, IoT builders are increasing pressure to incorporate DevSecOps into their products.
- Despite the benefits of bringing these disciplines together, DevSecOps adds complexity to workflows.
As IoT looks to resolve its vulnerability woes, an emerging blend of DevOps and coding security practices holds promise, although a mental shift is required.
DevSecOps brings IT development, IT operations, and security principles closer together, with the goal of making technology products more robust.
When implemented alongside principles of security by design, it should help vendors better circumvent IoT’s unique security obstacles.And, by doing so, they gain an edge on the competition, at a time when it’s imperative to avoid delays and cancellations.
While IoT vendors must cater to increased end-user dialogue, there are trade-offs in implementing DevSecOps effectively.
Selecting the most cost and time efficient tools will help, as will ensuring buy-in from all parts of the supply chain. Some 84% of IoT-equipped organizations reported their connected installations having suffered a security breach in 2017, according to Fierce Electronics.
Public trust in connected technologies is at stake, and fundamentally it’s no longer enough to react once breaches have been exploited.
“There’s a clear necessity to focus on security from the off. DevSecOps can help to address some of these issues with IoT, while potentially also keeping to short timelines,” said Hollie Hennessy, senior analyst, IoT cybersecurity, Omdia.
In some ways, it’s striking how much infrastructure and civic society is now at risk. Health care is the most targeted industry by ransomware, for example, according to a paper prepared by Check Point Software Technologies last October. Hijacked IoT is costing finances that should be going to improving real livelihoods.
As the overall attack surface grows, alongside the number of connected devices, so too will pressure from lawmakers and governments.
Increasingly, IoT engineers and architects are going to expect to have their feet held to their fire. Clear DevSecOps frameworks will help govern their response.
The Need for Security By Design
DevSecOps processes and software help continuously identify and repair vulnerabilities throughout the development lifecycle, from integration to software delivery.
But, in IoT, there are additional requirements to check hardware and network security – a methodology known as security by design.
Hardware, security and software security checks were traditionally performed separately and often at the end of development cycles, which can incur significant costs.
While IoT breaches, and user errors, can never be entirely avoided, better integration of hardware and software security can help reduce the impact. Agile design techniques, meanwhile, help teams adapt to new problems as they arise.
“Poorly secured IoT environments require expensive controls to be deployed to mitigate the lack of security of those environments,” said Simon Minton, partner, cybersecurity, Deloitte.
“IoT products that require fewer of these additional controls should reduce the lifetime costs involved, making them more attractive to enterprise buyers.”
But implementing security by design is a significant challenge.
It means having structures in place to cover everything from device authentication to data integrity. The entire IoT supply chain must follow protocols, as should cloud-to-edge computing environments.
But, in verticals ranging from government to health care, a laissez faire approach to vulnerabilities – often issuing repeated software patch updates – should be cause for concern. According to HIT Consultant, just 11 medical device manufacturers reported equipment vulnerabilities to regulators in 2020.
The need for better processes is clear, and the pressure on IoT developers is building. Old top-down security models and waterfall-staged integrity checks are fast becoming inadequate, said Pieter Danhieux, co-founder and CEO of Secure Code Warrior, a Sydney-based provider of secure coding skills.
Danhieux said: “The errors that lead to critical bugs are often made by multiple developers in an organization, which points to the … imminent need for transformation of developer security training and key knowledge-sharing.”
The idealized case for DevSecOps is clear, but IoT project managers need to know how to stack up the costs.
With regards to the software, the aim should be for management to continuously check in to evaluate the state of code as it evolves. Minimum viable products should help disregard software builds with unrealistic ambitions, before they absorb resources.
Across the development ecosystem support for IoT-oriented DevSecOps is growing, from cloud computing services to DevOps frameworks.
Amazon Web Services, for example, streamlines coding checks through cloud-hosted tools, which also account for IoT’s distributed cloud-to-edge workflows. GitLab’s DevOps collaboration framework includes support for DevSecOps vulnerability checking.
Not every DevSecOps offering is equal for IoT purposes, however.
Developers may prefer automated testing tools that can be harmonized to IoT hardware specifications, as that goes a long way to removing human errors.
“You have to have the ability to make vulnerability scanning a part of the code development process, so as a developer checks in code it can be automatically scanned for flaws,” said Mark Loveless, senior security engineer, security research, GitLab, a web-based DevOps lifecycle tool.
Coding frameworks and collaboration tools increasingly ship with live vulnerability checking support such as Software Composition Analysis.
Ideally, this software capacity should be leveraged in combination with new procedures and cybersecurity-oriented expertise, at both project and DevOps-wide levels.
DevSecOps-as-a-service options exist and may help streamline integration throughout the IoT supply chain, although the complexity may add costs. In addition, mandating cyber-vulnerability training courses can help instill more workforce resilience.
Difficult Roads, Profitable Destinations
Some of the building blocks of distributed IoT development don’t play well with continuous security regimes.
Even with the latest DevOps tactics, containerization protocols such as Kubernetes are prone to human error – an Alcide study found around 90% of cloud-native Kubernetes deployments failed to adequately hide sensitive pieces of data, for example.
Despite the benefits, DevSecOps adds complexity to workflows, and the problem is magnified when scaling to cover larger IoT projects with practitioners dispersed geographically.
“One of the biggest challenges for organizations is how to manage the design and implementation of security throughout the supply chain, where supplier IoT manufacturers might have different practices than internal product or application engineering teams,” argued Deloitte’s Minton, “Without a holistic approach across the entire value chain of an IoT product, security can be a huge challenge.”
That means progress will be incremental, despite benefits increasingly outweighing costs. While there’s certainly more money available across the IoT landscape as a whole – according to Gartner, endpoint security spends were set to rise to $631 million this year following 21.4% CAGR since 2016 – the hard practicalities may take longer to resolve.
“Most organizations are on the DevOps ‘journey’ to some extent, including those who develop IoT products. Organizations that are further along tend to be the ones that then implement DevSecOps practices,” Minton added.
On the other hand, those vendors holding out on the transition don’t have too much time to do so. The U.S. has already introduced minimum security requirements for federal IoT purchases, while over-the-air software repairs are becoming less appropriate for fast-evolving IoT scenarios, or where thousands of endpoints are connected.
“In an IoT context, the argument for DevSecOps is even more compelling [than DevOps],” said Rik Turner, principal analyst for emerging technologies at analyst firm Omdia, “Application development generally, whether for IoT or general enterprise usage, has accelerated dramatically over the last two decades thanks to approaches such as Agile and DevOps.”