This interview with Cindy Blake, GitLab Senior Security Evangelist, focuses on helping Federal Health agencies bridge development and application security.
Aligning DevOps and Security
Traditionally, security and DevOps have lived in different places and involved disparate tools that didn’t always mesh. In the pursuit of DevOps and Agile, there is a focus on making smaller changes and pushing them through to production. That also means we need to take those smaller pieces and also examine them with a security view. There are many tools that have been developed for a more waterfall approach, but they don’t scale well in the faster, higher velocity software development style that we now know is more efficient and effective.
The Spirit of DevOps
The true spirit of DevOps is about empowering individuals to be efficient and to improve collaboration. Instead of having a security assessment at the end of whatever changes may be taking place, it is important to enable developers to fix vulnerabilities as they move along.
In older methodologies, the security practitioner would find an issue and then have to trace back to see where it was introduced, understand who might be able to fix it, and then arrange remediation work on that person’s schedule. It’s likely that person had already moved on to something else, creating friction and lost time as they go back and try to understand where they were and what they had been trying to achieve.
Embracing the Moment
There was a NIST study done in the early 2000s that suggested fixing code in the moment creates cost savings of nearly 30 times over having to go back and remediate issues later.
We can enable developers to be self-sufficient by embracing security scanning automation and using it to provide scan results to them while they are still working on the code. By building this feedback into their workflow, they can see immediately that they created a vulnerability before merging their code into the main branch. Context and accountability is provided with clear cause and effect.
Overwhelmingly, developers want to develop good code. They do not want to be ‘that person’ that brought down an organization. Empowering them to have the ability to course correct builds morale as members of the team, teaches them what works and what doesn’t as they go, and strengthens overall efficiencies.
Collaboration and Transparency
Tools specifically designed for this kind of seamless workflow create a single source of truth for the developer and the security team to collaborate. The security practitioner gains visibility into actions taken by the developer on vulnerabilities that remain after their code is scanned and merged (a.k.a. pushed) into the rest of the project. Everyone can see what issues/tickets were created to fix security flaws that were too big or too complex to be resolved in the moment. They can also see what findings were dismissed and why, and what vulnerabilities remain to be resolved.
Moving forward in this manner requires a culture change to some degree. Having a single tool to provide a collaborative view is much better than a jumble of proprietary tools that are each in their own silo. There will always be more developers than security people, so if you can empower the developer to do their job and do it well, the security team can focus on automating policies and evaluating their efficacy. With automation, you create less friction and greater efficiency.
The COVID Confirmation
DevSecOps absolutely supports a remote work environment and that has been clearly demonstrated during the COVID crisis. Early on in the pandemic, we heard from security teams that they had set a policy in place and assumed everything was flowing through proper channels. They also noted that without the right tools in place, they had no way of knowing whether those policies were being followed or how many times people were just popping their heads over their cubicle wall to ask the neighbor for an exception. When everyone was working from home during the pandemic, the frequent exceptions became more visible. Security teams soon discovered that exceptions were the norm, essentially negating their policies’s intended control points. They needed automation, paired with transparency created from a united view, so that policies could be applied consistently and their effectiveness more easily assessed.
Advice for Federal Health Agencies
The importance of Federal health missions cannot be understated during a global pandemic. Automation and security of the underlying systems and data will speed the nation’s ability to approve and distribute a vaccine, provide treatment, and disseminate key health guidance and data.
Embracing DevSecOps creates an opportunity for efficiency in development across the board. It relies on automation to remove manual effort. Transparency provides visibility to more easily understand what is working and what is not. Immediate feedback allows the developer to learn to write better code. Static and dynamic analysis each provide insight into different types of security flaws. Combining these with container and dependency scanning while providing this robust feedback as code changes are made, creates a powerful educational opportunity. Developers gain insight while they are still hands-on in the code, where feedback is relevant, contextual, and most effective.
Many agencies have taken a DIY approach, cobbling together their favorite scanners and trying to provide the results to the developer using APIs and plug-ins. Not only is that approach time consuming, it is also fragile. Each tool has its own upgrade path. Any one change can break the whole chain. Think of how many times you personally have had to upgrade an application on a computer with other apps or functionalities breaking as a result.
That is what will inevitably happen with a piecemeal approach. You’ll end up chasing your tail trying to maintain a working solution.
It’s important to think about where you want to be in two years and what you need to do differently to get there. Can your current security solutions keep up with the velocity of DevOps? If so, how much more will those siloed security solutions cost once DevOps is fully implemented? Does your toolchain provide insight across tools to see who changed what, where, and when, and whether security policies were followed or not?
Transparency and collaboration are harder to achieve in a pieced-together solution. Look for partners with end-to-end solutions to optimize the whole system, not merely sub-components. It may mean that we need to give up a component we really like…but consider balancing preference against what is lost by not having a full end-to-end view. It may require a culture shift, but security, integrated into development, can break down silos and get teams working together to reduce risk and improve efficiency of the agency.
New Ways of Working at the FDA
Workloads and transactions at the Food and Drug Administration are significantly increasing in ways they’ve never seen before. Meanwhile, the data and technology available to make better safety and regulatory decisions also grows. How can the agency solve for this exponential growth while budgets remain flat?
Through the Technology Modernization Action Plan (TMAP), the FDA has adopted a culture of modernization and continuous improvement. Shifting security left as DevSecOps and Agile processes are adopted is a focus of their product development strategy. This approach allows the Agency to deliver incremental value through small changes that are deployed with speed, security, and high quality. A simplified DevSecOps toolchain will streamline their product development and contain costs by eliminating legacy or redundant systems and identifying and remediating software vulnerabilities sooner.
The current pandemic highlights why agility and speed are so important. Every single day, about 1,000 American lives are lost just to COVID-19. Through good technology and data, the FDA can reduce internal cycles to get a therapeutic or vaccine out to potentially save those lives. Expand that to the breadth of products the FDA regulates, and it adds up to countless treatments and therapies becoming available to profoundly impact numerous communities nationwide.
About Cindy Blake
Cindy Blake is the Senior Security Evangelist at GitLab, a leader in the DevOps market with an innovative single application approach for the entire software development lifecycle. Cindy collaborates around best practices for integrated DevSecOps application security solutions with major enterprises. Her book, “The CISOs Guide to Securing Next-Gen Software” combines nearly a decade of cyber security experience—including app sec, endpoint security, and Security Information and Event Management (SIEM)—with a background in lean and software development to simplify the complexities of today’s software evolution into pragmatic advice for security programs.
GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate. GitLab helps teams accelerate software delivery from weeks to minutes, reduce development costs, and reduce the risk of application vulnerabilities while increasing developer productivity.