Deb Radcliff reports on DevSecOps happenings at May 17-20 RSA Conference
The recent RSA Security virtual conference dedicated a two-day track to DevSecOps and also hosted the DEF CON Appsec Village. The subject also dominated in keynotes and discussions on everything from hardware encryption, medical device protection and artificial intelligence.
The field is so hot that it is commanding a 19% pay premium, which ties for the highest pay premium for non-certified skills, according to the Q2 Foote Partners IT skills and pay report. The report defines DevSecOps to include code analysis, change management, compliance monitoring, threat investigation, vulnerability assessment and security training.
Security Applied to DevOps
According to a survey by ZeroNorth released at RSA, 90 percent of 250 DevOps and IT professionals believe that DevSecOps will be a shared responsibility, but the majority also believes that application security teams will be the ones who own DevSecOps processes in the next three years.
“To get this right, particularly in the context of true DevSecOps, these teams need a governance structure and enabling platforms that allow security to set and enforce AppSec standards,” says ZeroNorth’s CEO John Worrall. “AppSec capabilities need to be integrated into DevOps’ existing processes through automation, standards and policies.”
Many security vendors were also shifting left at RSA. For example, John Grimm, VP of strategy for identity and access vendor, Entrust, discussed how they’re using the HSM (hardware security module) as their ‘root of trust’ for key signing applications in difficult environments like Kubernetes and other container environments.
“Developers are dogged by ‘secrets management,’ which means having to go to so many places for authentication credentials, keys, API tokens. They can’t just embed these secrets and tokens into their applications for convenience because they’re such a security risk,” he explains. “The HSM module simplifies all of that. And HSMs provide a higher level of assurance for classified government applications, and highly-sensitive business applications processing customer data and intellectual property.”
Automating and Integrating
According to 91 percent of the ZeroNorth survey respondents, automating and integrating application security tools into the DevSecOps pipeline is critical to its success. This represents a huge growth market for vendors in this space, since only 17 percent of respondents to the survey had fully integrated and automated their security and DevOps practices.
Yet development hubs are certainly automating and integrating DevSecOps practices to serve their development communities.
For example, during RSA, medical health tech device and AI company Relay Medical announced its acquisition of IoT security vendor, Cybeats, an early SBOM adopter. The Cybeats platform protects critical OT assets from attacks as they’re operational, enables device makers to identify and fix security flaws during the product’s design phase, and provides end-users with OT fleet management tools such as secure firmware updates.
These types of integrative frameworks have been automating and integrating the DevSecOps processes since long before Joe Biden’s executive order was issued in May to protect the software supply chain. This puts DevOps teams in a better position to meet this order.
Pro Tip: Learn how GrammaTech’s automated SBOM reporting meets the president’s executive order for software supply chain security.
Artificial Intelligence Hacks
While governance and automation will take DevSecOps to the next level, new technologies such as AI and machine learning will challenge developers in new ways.
In his closing keynote, security futurist Bruce Schneier talked about the dangers of unintended actions taken by AI because it lacks human morals and inference. He provided an example of a ‘smart’ vacuum cleaner learning to drive backward because it could go faster that way since there were no rear sensors. He talked about social media algorithms pushing people toward extremist content because the algorithms deemed those sites to be popular.
What humans consider out of bounds, he adds, is free game to a computer trying to find a most expedient route to accomplishing its task. In other words, AI is the ultimate hacker. As a result, he says, “We won’t be able to recover from a new AI figuring out the loopholes in financial systems.”
AI can also be a tool for automating human inference into code development and detecting inferences that would make the program act outside of moral or ethical bounds, he adds. For example, he explains how to test a new tax law before codifying it.
“Take the text of the tax bill and exploit all vulnerabilities, and in theory patch them before the rich and powerful exploit them,” Schneier advises. “This should be part of all governing infrastructures and must operate at the speed of the information age.”
Pro Tip: Check out GrammaTech’s Safety Documentation Kit to enforce DevOps safety standards for planes, cars, power grids and other critical infrastructure IoT.