by Klaus Kurz, Sr. Director Solution Consulting at New Relic
According to Verizon’s Data Breach Investigations Report 2022, 82% of security breaches in companies are caused by the human factor. The reasons are many: from social engineering, operator error to deliberate misuse. But there are ways to get ahead of at least some of the gateways. The following applies: Security cannot be the task of security teams alone. Every member of an organisation must take responsibility for good security habits – including software engineers.
Fostering security awareness in DevOps teams can be very important for companies that want to improve their cyber defences. Engineers committed to cyber security are aware of potential threats and vulnerabilities, as well as the overall reliability and integrity of applications. This approach ensures that each link in the ‘enterprise’ chain is strong and cyber-secure, rather than relying on just one entity responsible for security. Responsibility is shared, which also takes the mental pressure off security teams and can reduce the stress levels of individual employees.
Here are six steps companies can take to improve their cyber security and build a true security mindset in their DevOps teams:
Know before you go: Create a comprehensive training programme
Engineers cannot be expected to integrate security into the development process if they have never been taught to do so. An effective security training programme will include a comprehensive list of potential vulnerabilities, as well as detailed information on how the various steps of application development interact and present potential security risks. From architecture to code to testing, every engineer must be aware of how potential attackers can exploit the technology. Security training programmes must therefore be tailored to the needs of the organisation and take into account the specific policies and processes that employees deal with every day.
To the left: “shift-left” mentality
Safe development starts with the first line of code. Engineers should be encouraged to think about how to make their application secure as early as possible, rather than checking for vulnerabilities at the end of the development cycle. Integrating security considerations into each step of the development process prevents big problems waiting at the end of the road.
Go hard or go home: no detours
Developers are conditioned to act quickly and seek constant optimisation. But when it comes to security, shortcuts or cutbacks can quickly lead to disaster. Even if it seems petty, software engineers need to take the time to check things like supposed default settings that could put their team at risk, including insecure default passwords and unprotected operating systems. No one knows an application better than the person who developed it. DevOps teams should therefore take the time to attack their own code, find out how someone else could gain access, and then work to fix those vulnerabilities.
Together forever: Encourage collaboration and peer reviews.
No one is perfect. The above data on human error in security breaches clearly shows that teams need to take more time to review their work and ensure that no mistakes are missed. No matter how experienced a developer is, developing blinders on your code (after looking at it for what feels like the 3000th time) is human and perfectly normal. Companies should therefore develop systems for peer reviews in which teams check each other. This is the only way to significantly reduce the likelihood of an error or vulnerability entering production.
Nobody is an island: Maintain detailed libraries
Regardless of size or task, every company works with a large amount of software solutions, applications and microservices on a daily basis: No software solution today is not connected to another system in some way. Engineers need to look beyond their own development and consider the vulnerabilities in internal tools and third-party services. Security-conscious companies should develop systems to check libraries for vulnerabilities and actively maintain them over time. Constant vigilance is the key to avoiding security vulnerabilities.
Don’t stop moving: stay ahead of the game
Cybersecurity is dynamic. Criminal intent groups in particular will constantly evolve, refine their methods and look for new ways to gain access to valuable resources. Because that is precisely their business model. Software engineers should therefore be encouraged to stay ahead of the latest cybersecurity trends and keep their skills and knowledge up to date in order to minimise security risks. Be it by reading relevant publications, regularly attending conferences or even just by establishing channels for knowledge sharing within the company.
Every software developer wants their tools and applications to be successful. And in an economy increasingly threatened by cyber security risks, success and security are inextricably linked. Therefore, it is crucial to integrate security into the development process from the beginning through various measures in order to create a stable foundation. DevOps teams need to start including security as a success criterion to generate reliability and maximum performance.