Talent Shortage: Stretching Your Lean DevSecOps Team
The cybersecurity talent shortage is real. As of December 2021, a job-tracking database from the U.S. Commerce Department showed nearly 600,000 unfilled cybersecurity positions. And a 2021 study found that 57% of cybersecurity professionals worked at organizations that have been directly impacted by the cybersecurity talent shortage. Even so, many organizations want to “shift security left” or build security best practices earlier into the software development lifecycle (SDLC).
DevSecOps involves creating a shared responsibility model for security and can even help alleviate some of the pressures resulting from the cybersecurity talent shortage. This methodology is a cultural shift that requires thinking about application and infrastructure security from the start and continuously integrating security at every step of the SDLC.
The good news is that a shared responsibility model means developers and operations professionals can learn secure coding and secure infrastructure best practices. In addition, there are existing threat hunting tools within the DevSecOps toolchain, such as security log analytics, that can make discovering vulnerabilities in your applications and infrastructure much easier.
Let’s look at how to leverage your team’s current security resources, and reinforce them with the training and tools to build more secure applications.
Read the Solutions Brief: Scalable Log Analytics for Security Operations and Threat Hunting
Transitioning from a DevOps to a DevSecOps Team
DevSecOps is as much about a mindset shift as it is about talent. Transitioning from DevOps to DevSecOps may seem difficult at first, but when it’s done right it can actually help teams ship secure software faster.
With DevSecOps, security becomes everyone’s job. The traditional, slower feedback loops with security are no longer efficient or effective in a cloud-native application development model. As an alternative approach, DevSecOps empowers development teams to secure what they build at their pace. Ideally, this dynamic creates better collaboration between DevOps and security professionals.
There are a few important steps that help build security practices into the application development lifecycle:
- Bring security engineers into the planning process. When planning an application build, bring security engineers in to advise on infrastructure design and configuration. This layer of diligence can help prevent security misconfigurations, a part of the OWASP Top 10 cybersecurity threat list. Security misconfigurations can happen at any level of the application stack – including network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.
- Train developers on secure coding best practices. Secure coding ensures that secure software features are built from day one, and minimizes reactivity from the security team after the fact. A big part of secure coding is enabling developers to use the tools they’re comfortable with for security purposes. One example is conducting threat hunting with log analysis tools they already use. We’ll cover more about secure software development later, since it’s one of the most crucial pillars of DevSecOps.
- Testing with security in mind.Automated security testing can relieve pressure on DevOps teams to find every possible application vulnerability themselves. Many tools can scan applications to proactively find and fix vulnerabilities, even at runtime. In addition, automated security testing can prevent security teams from becoming gatekeepers that slow down application development and delivery.
Embracing Secure Software Development Best Practices
Secure software development is quickly becoming more prominent in organizations of all sizes. Even though secure coding historically hasn’t been a part of traditional computer science programs, that practice is more frequently built into the curriculum for the next generation of developers. On-the-job secure software development training is often offered to help support the transition to DevSecOps.
Why? Experts say that for DevSecOps, it is better to train developers on security than to rely on sourcing new security talent, which, as mentioned above, is in short supply. In addition, if developers learn secure coding best practices and embrace security as a part of the build process, that lessens the burden on security as a checkpoint at the end of the SDLC.
For organizations that are starting from scratch, there are many credible online resources for developer security awareness training, as well as professional cybersecurity organizations that detail secure coding best practices. In addition, the security team can be seen as a resource to help enable the transition to secure coding.
Leveraging Log Analytics for Threat Hunting and Security Operations
Beyond training alone, tools and automation play a key role in DevSecOps. Many tools DevOps teams use can be a major asset in detecting security threats.
Specifically, enterprise DevSecOps teams are increasingly adopting log analytics for security operations and threat hunting applications. A log analytics solution brings together security and event data from throughout the network, giving SecOps teams increased visibility into potential threats and vulnerabilities. When used in tandem with dedicated cybersecurity tools, such as a security information and event management (SIEM) system, these tools can be an incredibly useful part of the secure SDLC.
Log analytics platforms are especially useful for forensic analysis and understanding how data moves across the network. Cybersecurity professionals can use these platforms to delve into events that may have happened days, weeks, or even months ago. These tools can help identify advanced persistent threats (APT), or threats that linger over a long period of time and cause prolonged damage to high-value targets.
Embracing a DevSecOps Mindset
With the right mindset, your organization can build a DevSecOps team that can leverage existing resources to develop, test and ship secure software throughout the development lifecycle.
Investing in this transition with the right training and tools can empower developers and operations professionals to take ownership of security, transforming the traditional security function from a bottleneck to an enabler. Existing DevOps workflows and tools, such as log analytics, can be an incredible asset in identifying and eliminating security threats to both applications and infrastructure.
Want to learn more about the practice of threat hunting for SecOps teams?
Check out the Threat Hunter’s Handbook
Download the Whitepaper: Ultimate Guide to Log Analytics