This is a joint effort with JFrog and myself, which explores how we can improve security in development, especially in regard to a DevOps type model. The sole purpose of this partnership is to share knowledge with others. There is no commercial gain for either side.

By: Sean Wright, Head of Application Security, Featurespace | Paul Davis, Field CISO, JFrog

Removing friction between DevOps and Security teams can only lead to good things. By pulling in the same direction, DevOps can make sure developers continue to work with minimum interruption, while automation and background processes make security more effective and consistent than before. And, security teams have the visibility and understanding of the software development life cycle (SDLC), to improve developer experience and reduce risks and incidents for the organization.

In the first blog post we took a look at the friction between DevOps and Security in software development and the negative business impact such friction can entail. We ended with the question: Does there have to be friction between DevOps and Security at all? And that’s exactly what we intend to find out in this post. 

Bringing DevOps and Security Together

The journey to achieve an optimal model of collaboration and software development efficiency (velocity), starts with the simplification and cross usage of tools. We’re seeing a common trend where executives are looking to improve their software supply chain processes by streamlining the many tools they use. But now the time has come for combined groups of development and security engineers to also embrace this idea, move away from point solutions, and switch to an integrated efficient tools architecture. 

It’s pretty clear that security and development teams need to leverage multiple data points and perspectives to cater to their specific roles. Some of the tools that generate this data are unique to their functional needs, yet there are also common data sets, and operational frameworks that can align. 

The key to successful collaboration doesn’t lie in having an myopic view of looking at a specific solution in isolation, but rather considering the needs of information that flows between the teams and the overlap of solutions and tools. The winning approach is having a holistic DevSecOp architecture that combines the tools, data flows and processes from both groups. 

We’re seeing more and more companies – across all industries and geographies – adopting a unified software supply chain platform approach. A platform offers a reliable solution for managing and securing the SDLC, while keeping all relevant teams connected and productive.

Ask security teams what they care about; their first response will probably not be the developer’s experience or how many code fixes are required, just as developers are less concerned about how security threats are detected or how many vulnerabilities were remediated. The trick is to put all the information together and come up with insights that benefit both teams with a holistic view and understanding of what’s happening at each stage of the development process.

A good example of this could be to focus on one aspect, detecting a potential vulnerability.  As developers are coding, they’re actively warned about a potential vulnerability, with a suggestion how to mitigate the risk. Now, when the package is marked ready for production, the automated scanning of the package is launched and the number of potential vulnerabilities is immediately reduced, since the problem was handled early in the development process. From Security’s perspective, this means having less alerts to deal with, less back and forth with the developer, and less interruption in the development of new solutions.  

JFrog’s recent Software Supply Chain State of the Union Report, found that developers spend, on average, 25% of their time remediating vulnerabilities. Not only is the volume of vulnerabilities increasing, but it’s becoming harder to triage them effectively (remember the recent issue with NVD not analyzing CVEs?). So, just imagine how beneficial it would be – across the organization – to reduce this by 10-15%. And at the same time, the security posture of the SDLC would improve by reducing alert fatigue, and allowing the teams to focus on their shared mission of securing the delivery of software. 

PS: Remember to track metrics when launching this improvement. 

One of the keys to making this happen is deploying a platform-based solution that provides a common framework for managing and securing the software supply chain, integrating the teams and enabling their core missions. The advantage of having a single platform is getting the right information at the right time to all stakeholders – in the language and context they understand. It makes it easy to create automated workflows that minimize conflicts, provide continuous monitoring and alerting, and deliver one source of truth for developers, DevOps and Security. 

The Visibility Advantage

What’s the one thing CISOs and security teams always ask for? Visibility.

A software supply chain platform enables visibility across the entire SDLC, empowering organizations to standardize, monitor, secure and automate the process of delivering trusted software. By utilizing a platform, you gain a central point of truth with accelerated triage and prioritization for easily identifying the source (and even a specific developer) associated with an introduced vulnerability. 

The challenge associated with relying on point solutions, without a central software supply chain platform, is that the risk of introducing  blind spots could let incidents fall through the cracks. Leveraging a platform architecture, enables companies to enjoy both agility and scalability – with all aspects managed from a single pane of glass. This means viewing all risks from a single place, without having to correlate all information from numerous tools.   

Using a platform’s architecture encourages the use of automated security measures at critical points in the development process, and the continuous monitoring in production that reduces the need for manual work. For example, when developers want to use open source packages, they’re automatically scanned for vulnerabilities. If a threat is discovered or introduces unacceptable operation risk, the package can’t be used for the build. This is a great real-life picture of how to improve security without hassling developers or slowing down operations. Simply put, this is a win-win situation for both DevOps and Security.

Furthermore, if a CVE is detected in a binary in production, a platform can provide you with all the background of that artifact – including the developer responsible for using it in the first place and hopefully recommend a short term mitigation (e.g., change the way the function is called) and long term fix (e.g., upgrade the package). After the vulnerability is known, Security can analyze the threat and decide how likely it can be exploited in a real-world scenario. 

In some cases, even though a known vulnerability is present, it can’t be exploited in the current operating environment and may not require an immediate fix. This is becoming even more fundamental with the increase in volume of CVEs, in addition to the challenge in trying to triage them. Organizations need a way to focus on the ones that actually represent the most risk.

In other instances, a simple package upgrade can eliminate the threat, once again aligning Security's desire to minimize risk with DevOps’ goal of getting a release out the door as soon as possible. It’s critical to have this functionality since it can reduce the number of false alerts significantly, and remove the pressure to remediate immediately.

Increased Collaboration & Communications

In addition to having the right platform in place, regular meetings are required for maintaining open communication and building strong personal relationships between DevOps and Security. Don't just run status reviews, but make it fun, educational.  Brainstorm together to merge the knowledge of the two teams to solve a tough problem. Another easily implemented enabler is to establish a dedicated chat channel where team members can easily exchange information and ask questions. This ongoing dialogue is essential for transparency, trust and a shared understanding of each other’s tasks and goals.

Now that we’ve got the technology infrastructure and open communication channels, we still need to make sure everyone stays on track. It’s strongly recommended to have a well-defined roadmap, including assignments regarding who is RACI (Responsible, Accountable, Consulted and Informed) for each task. It also provides a clear statement of milestones and goals, to make sure all teams are aligned and working together. All this is easily enabled when using a platform.

It’s highly recommended to create measures of success that show how the platform and collaboration drive mutual goal achievement. You could have a metric for developers to show how much faster they get code into production. For Security, you could track how the number of vulnerabilities in production is reduced. And you could have shared metrics that recognize star contributors from each team.

Benefits of Software Supply Chain Platform

When it comes to releasing secure quality software in the fastest time possible, Security needs to be able to find and fix vulnerabilities efficiently – with minimal conflict. It’s not about pointing fingers to a specific application, version, project or even developer, it’s about removing friction for the benefit of the teams, and more importantly improving overall business outcomes. Removing friction enables DeVOps and security teams to speed up the entire remediation process, coordinating their efforts to provide a safe fix and distribute it accordingly.

There are many operational and security benefits that come as a result of deploying a platform-based software supply chain solution. They range from overarching goals such as tool consolidation and build integrity to vulnerability management capabilities, including prevention, detection, triage and remediation.

This trend of moving to platforms is also driven by the need to reduce the number of tools used to secure the software supply chain and how to avoid the blind spots caused by trying to mix and match tools without a central supporting framework.

These benefits enable faster release cycles without sacrificing security, which by definition helps remove the friction between DevOps and Security. This also impacts business results, with faster releases, less downtime, compliance verification and more effective responses to vulnerabilities and malicious code.

The Log4j Example

A platform is certainly a good way to start with cases like the infamous Log4J vulnerability,   where operations lacked a centralized repository, causing confusion and delay in precious response time. 

Not having accurate and relevant information regarding the vulnerability, and where it was deployed within the code, caused some DevOps teams to concentrate their limited resources on security measures that weren’t related to the vulnerability. Many didn’t even know whether it originated in their own code or in a third party package. Fragmented visibility of the software supply chain, due to disparate point solutions, delayed responses and increased business damage. 

Had those organizations deployed a centralized platform, their response could have been prompt and focused, quickly identifying where the vulnerability appeared in their code, who was responsible and what updates could be used to remediate the threat in a timely manner.

Better Together – One Team?

In the world of software development and cybersecurity, the success of an organization is very much dependent on getting the security and development teams to work together. Taking advantage of a unified platform, allows DevOps and Security to establish shared processes that remove silos. In the end of the day, all teams are working for the same goal – for the organization to succeed.

A platform enables developers to keep on working uninterrupted, while security gates and controls are applied across all stages of the SDLC. If a vulnerability is discovered, contextualized prioritization and easy-to-understand suggestions for remediation, can minimize the effect on customers and avoid negative business impact.

Leveraging the benefits of a software supply chain platform increases communication and collaboration, automates tasks and workflows, makes it much easier to remove friction, and improves development efficiency alongside overall application security. 

It wouldn’t be an exaggeration to say that software supply chain platforms are becoming the must-have architecture for enterprises seeking to be ready for whatever may be next. From evolving technologies (AI/ML), and practices (MLOps), to new compliance and regulation requirements (PCI v4, DORA and NIS2). A platform is the ideal solution for gaining overall confidence to prevent the next cyber attack without slowing down your business.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.