They say that the best time to plant a tree is yesterday; the second best time is today.
But too many people decide to plant the seeds of cybersecurity at a later part of the process when they are developing their digital services.
A new concept proposes a better way. This concept is known as ‘shift left’, and means that security should be built in the software development lifecycle (SDLC).
IT development and operations were traditionally split, but over the past few years we have seen them drawn closer together. Yet security is often still left lingering in the wings, and not brought in until the code is already in production.
Now, we are seeing the process of ‘DevSecOps’ combine security thinking into the process. This is especially important where automation is often used for routine tasks. A vulnerability in this process could replicate flaws in multiple systems.
How to do it
So how can an organisation ‘shift left’? There are five key steps to this, according to a new guide from CyberArk.
First, get the right skills into the right places. While developers write the actual code, it’s important for security teams to gain knowledge about programming languages along with how applications are built, tested and deployed automatically.
Second, train the developers in security processes, and introduce a robust security policy for the automated processes.
Third, set up formal systems to ensure that DevOps practitioners understand security risks and implement good security practices.
Fourth, get developers to think like attackers. Show them specific tactics, and sample code modules that could expose secrets. Red teaming is also valuable, where a team will mimic the actions of a hostile hacker group.
Finally, incorporate agile methodologies within security teams, to ensure that there are constant, incremental improvements.
Government’s fast move to the cloud unlocks great rewards, but can also increase the risks for agencies.
Both DevOps and cloud computing bring key changes to the cyber risk landscape: the use of human and machine credentials that are exceptionally powerful and highly susceptible to compromise.
For example, AWS access keys can be harvested in minutes from GitHub, according to the experts at CyberArk. This happened to Uber, where credentials were exposed through a code sharing site and hackers could access a data store in the cloud containing private data on 57 million people.
This doesn’t mean that progress should pause. Instead, agencies should seek out expert help to ensure that they incorporate security measures as they procure cloud services, and as they introduce new ways of working as a result.
CyberArk stands ready to assist with this journey: planting the trees of cybersecurity early, so that agencies may reap a forest of benefits.
Watch a webinar now that sets out detailed advice on these processes.
CyberArk will be at GovWare Focus from 7-8 October. Drop them a visit at Hall 1 to see how to redeem an exclusive CyberArk branded t-shirt.