CISOs and security teams are playing a larger role in application security today. But is that a good idea?

Cybercriminals are regularly launching low-level phishing and impersonation attacks against development teams to gain access to credentials and abuse privileges that enable them to compromise entire application environments.

Yet, the Gartner Hype Cycle for Agile and DevOps2020 indicated that DevSecOps is still in the early stages of mainstream adoption.

Cybersecurity teams are starting to play a much larger role in application security as organizations look to implement a more systematic approach to securing software development lifecycles and supply chains on an end-to-end basis.

Many developers are shouldering the task themselves, often managing application secrets directly within their applications in the name of simplicity and speed. But if those applications are compromised, all the secrets stored by the developer are readily available in plain text.

Rather than relying on developers who often lack security expertise to manage application secrets, more organizations are shifting that responsibility to cybersecurity teams with the backgrounds and technical acumen needed to address fast-evolving threats.  

Given the current emphasis on CI/CD pipeline vulnerabilities, security teams are getting responsibility for the application secret management problem as part of an effort to ensure that every application secret is protected.

Jeffrey Kok, Vice President, Solution Engineers, APJ, CyberArk

How are the roles of CISOs, security teams and developers panning out? CybersecAsia sought out some insights from Jeffrey Kok, Vice President, Solution Engineers, Asia Pacific and Japan, CyberArk.

With DevOps teams having high-level access to data and networks, and therefore highly targeted by cybercriminals, what are the cybersecurity challenges organizations face today?

Kok: Cybercriminals are regularly launching low-level phishing and impersonation attacks against development teams to gain access to credentials and abuse privileges that will enable them to compromise entire application environments. While empowering organizations with more efficiency and speed, the development and operations (DevOps) process is also dramatically expanding the attack surface across the entire enterprise. 

According to CyberArk’s CISO View research, as DevOps engineers have high-level access to sensitive company assets, they are relentlessly being pursued by attackers, which means they need more protection.  Added to this, there are significant challenges in the emerging DevOps world that security teams need to consider.

With regards to the DevOps toolset itself, for example continuous integration (CI) and continuous delivery (CD) tools for configuration management and CI servers, the number of components that have administrative access and that need to communicate is ever-increasing. Due to micro services and containers, there are far more modules that need secrets in order to work properly and, thus, far more secrets than ever before.

The need, therefore, is for organizations to adopt automated protection for these dynamic and highly automated environments. The security solution must integrate tightly with developer environments and libraries, as well as the runtime environments of these new applications.

How is the role of the CISO changing and why do they have to start paying attention to application security?

Kok: Many developers are shouldering the task themselves, often managing application secrets directly within their applications for simplicity and speed. However, if these applications are compromised, all the secrets stored by the developer are readily available in plain text. Developers are already under pressure trying to keep up with the speed at which applications must be built. With security management being done manually and detached from existing workflows, the probability a developer will make a mistake when managing application secrets increases with each new project.

Cybersecurity teams are starting to play a much larger role in application security as organizations look to implement a more systematic approach to protecting software supply chains on an end-to-end basis. Chief Information Security Officers (CISOs) must ensure that the organization’s entire app portfolio is secured.

Given the current emphasis on CI/CD pipeline vulnerabilities, security teams are taking responsibility for the management of application secret as part of an effort to boost security. Rather than relying on developers who often lack security expertise to manage application secrets, companies are shifting that responsibility to cybersecurity teams that have the proper background and technical expertise needed to address fast-evolving threats.

Whose responsibility is it to secure applications with DevSecOps best practices?

Kok: The management of applications secrets is a discipline that has only relatively recently emerged. However, armed with the clear mandate to secure applications is a rapidly digitizing world, CISOs are pursuing a top-down approach as part of an effort to ensure that every application secret is protected. As ownership of secrets management is now being shifted to security teams, organizations are generally either pursuing a prescriptive approach to managing secrets across their entire software portfolio or providing developers with a self-service platform through which application secrets are tightly managed.

The shift in the responsibility is occurring at a time when many organizations are trying to implement the best development, security and operations (DevSecOps) practices by shifting more responsibility for application security away from the developers. The challenge is that developers are already hard-pressed to keep up with the current rate at which they are being asked to build applications, and if security is not automated and integrated into existing workflows, the probability a developer will make a mistake managing application secrets increases with each new project.

Each organization will need to identify the best approach to managing application secrets themselves. Some are prioritizing their efforts based on the level of risk to the business, while others are focusing on applications built by, for example, DevOps teams that are more open to adopting new processes as part of ongoing efforts to automate application development and deployment.

Regardless of who takes responsibility for application security, it is clear that application secrets management should be handled with a greater sense of urgency, ideally encrypted and then stored in a digital repository that is really difficult (and expensive) for attackers to try to crack.

How can organizations seamlessly integrate security into agile development processes at the early stages?

Kok: DevSecOps is primarily about people — it requires communication, collaboration, empathy and cultural change. It highlights the need to engage security teams from the start of DevOps initiatives while empowering developers to easily adopt security best practices without slowing down.

Developers and DevOps leaders should include representation from security early in key initiatives and secrets management decisions. By collaborating earlier in the development processes, security can be improved without impacting DevOps velocity.

To succeed in implementing DevSecOps, specifically through Privileged Access Management, security teams should consider the following steps:

  1. Work closely with Software Engineering and IT/DevOps operations to make it easy for developers to secure their applications. It is vital that Software Architects, Developers, and DevOps/IT Operations support the concept and understand why security should be integrated early in to the agile development process. They also have to appreciate that the process does not slow down their development work, but speeds it up by delivering simple integration points.
  2. Security teams should isolate applications whenever they are using APIs of any security service in applications.  This will allow security teams to change the underlying security services without changing codes.
  3. Privileged Access Management and secrets management for DevOps infrastructures is essential, but teams can get more value by integrating them together. Follow an integrated and consistent approach to all of Privileged Access Management with centralized management of privilege, secrets, and other credentials.

Regardless of the approach, giving security an equal priority alongside development and operations is critical for any organization engaged in application development and distribution. Choosing to do nothing or delaying the process of securing the secrets and CI/CD pipelines simply worsens the security challenges and compounds technical debt as the number of unprotected secrets grows.