Ron Ross has seen the evolution of cybersecurity and technology over the past four decades. Computers are being pushed to the edge, being used for entertainment, power plants, and medical purposes, not to mention their use in the most critical weapons systems, space systems, etc.
DevSecOps can be a game-changing approach to make systems more secure.
What Is an Attack Surface?
Today’s systems consist of many elements such as applications, middleware, firmware, etc. These complex systems include trillions of lines of code, billions of devices, and worldwide network connectivity. Complexity increases the attack surface of a system and therefore its vulnerability. Attack surface is the space an adversary can see or get to in order to launch an attack. Modern systems face a growing number of threats and a growing attack surface.
What Leads to a Cyberattack?
Some people say that they can manage vulnerabilities using the penetrate and patch approach. However, they often don't know enough about threats and vulnerabilities to adequately defend their systems. The Defense Science Board categorizes vulnerabilities leading to cyberattacks into different classes:
- Known vulnerabilities: These vulnerabilities are identified earlier, and their fix is prioritized based on criticality. This process continues until all the known vulnerabilities are patched.
- Zero-day vulnerabilities: These are the vulnerabilities that the adversary identifies in your system that you don't know about. They launch the attack, and you have no mitigation for it. Once the attack happens and the damage is done, the attack becomes a known vulnerability.
- Adversary-created vulnerabilities: These are attacks usually sponsored by a nation-state or state. Here, an adversary takes control of your system and establishes a long-term presence. Then they create new vulnerabilities in the system.
Zero-day vulnerabilities and adversary-created vulnerabilities are typically off your radar. In most cases, even the best tools fail to identify them.
Ross says that the key challenge in security is keeping up with technological innovations. People have very little understanding of the systems they use. Due to this, there's less visibility, transparency, or traceability. These technologies are being used in many critical systems, and a cyberattack can lead to great damage.
Think about the ocean. There are two spaces when looking at the water from land: one is above the waterline, and the other is below the waterline. This analogy works for cybersecurity. There is work in cybersecurity above the waterline, where developers can control things. And there is work below the waterline where the consumers have to take the risk.
Most of the action happens below the water. But best practices haven’t been applied here, where it really matters. Code will always have weaknesses and deficiencies. So how do you build better software?
Dealing With Security Complications
You can't control the threat space. But you can focus on reducing vulnerabilities. First, when building systems, consider security and privacy requirements along with the business requirement. Most importantly, practice secure coding and implement best practices while building systems.
DevSecOps offers a platform to make fundamental changes. If you generally follow the penetration resistance strategy, you build the system as secure as possible and hope for the best. This stops around 80% of cyberattacks. But 20% is more than enough to cause serious damage. There need to be more extensive strategies.
The next strategy would be to build damage limiting or zero trust architecture. In this, take the perimeter of the system and collapse it. You have strong authorization, authentication, and access control. But now, they're in small parts, consequently slowing down the attack and breaking the attack sequence. Along with this, using micro-virtualization will increase the refresh rate. Therefore, the system will be churning faster than the adversary can exploit it.
How DevSecOps Helps
DevSecOps helps to implement security in the earlier stages of the software development life cycle (SDLC). It brings the development, operations, and security teams together. As a result, there's rapid turnaround time. With DevSecOps, you can implement decades of code review experience, AppSec, secure configuration, secure operations, etc. earlier in the system. You can train development teams with these security concepts. Subsequently, developers identify security issues while things are still in development. And they can fix the issues right there.
If you get DevSecOps right, there will be more transparency and traceability of security aspects of the system. And when you achieve this, it'll lead to greater trust. You want your systems to be resilient. They will fail sometimes, but failure will be rare and won’t create a catastrophic situation. To help with DevSecOps, NIST is looking at developing a DevSecOps framework.
Ross also recommends a few sources for observing best practices in DevSecOps:
- SP 800-53 Rev. 5 - Security and Privacy Controls
- SP 800-160 Vol. 1 - Systems Security Engineering
- SP 800-160 Vol. 2 - Developing Cyber Resilient Systems
Watch the entire talk here.