Last updated at Tue, 25 Jul 2023 20:58:59 GMT
When it comes to offloading security controls to the cloud, it may seem counterintuitive to the notion of “securing” things. 但, 当我们考虑通过一些安全控制右移来获得效率时, it makes sense to send more granular, ground-up responsibilities to a trusted managed services cloud partner. This could help to increase development-和-deployment velocity, without compromising the integrity of your bespoke process.
建立一个真实的 DevSecOps ecosystem is probably a common goal for most teams. 然而, 非共性通常以技术和组织障碍的形式出现. Let’s take a look at some key insights from a 2020 SANS Institute survey on current industry efforts to more closely integrate DevOps 和 SecOps—和 how you can plot your best path forward.
安全形势
In more traditional environments, 安全团队经常觉得他们被DevOps的步伐甩在了后面. 漏洞 are introduced faster than SecOps can likely find them. The shift is with teams that are building continuous delivery frameworks, with compliance checks at every stage of the game. It becomes a matter of defending the environment as it’s being built.
目前, 大约74%的组织每月部署一次以上的变更, 根据SANS. Often, these are weekly or daily instances. 因此,速度在提高,主要是为了更快地满足客户的需求. 传统的变更审批和安全控制正变得越来越像护栏式的检查. 然而,挑战在于优化流程并使其尽可能安全.
Increasing cloud adoption
From a security perspective, 过渡到云提供商的责任模型可以更好地匹配DevOps的步伐并提高交付速度. 当这两个速度都在负责任地增长时,这对企业有利.
- 与传统设置相比,云托管VM平台允许团队更快地启动流程.
- 云托管容器服务和无服务器平台的采用正在加速,因为供应商正在做更多的供应, 打补丁, 和 upgrading for many existing execution environments.
- 越来越多的组织运行在云托管的虚拟机上,而不是容器服务和无服务器平台, 但这可能会改变,因为后两种选择允许您进一步减少责任模型.
多重云动机
About 92% of organizations run on at least one public cloud provider. 但 for about 60% of those companies, 将服务分散到多个提供者之间背后的主要动机并不像人们想象的那么技术性.
Mergers 和 acquisitions can cause obvious complexity, 因为公司之间相互连接,并可能在不同的云环境(如AWS)中运行类似的流程, Azure, 或质量. 也有决策者和团队优先考虑基于任务的方法,并选择最佳环境来完成特定的工作. The benefits of a multi-cloud environment could then become drawbacks, as security becomes more difficult to plan for 和 underst和. 没有人希望在一个本质上应该减轻责任并使事情变得更容易的方法中出现复杂性.
Risk doesn’t translate for SecOps
As more DevOps teams increase their use of JavaScript, 传统的安全控制不支持流行的格式以及其他遗留语言. In this situation, there is greater risk. 然而, 就技术债务而言,一款较老的网页应用如果一段时间没有更新,可能只是冰山一角.
Apps built on older languages like Java, .. NET和c++可以在团队转向更新的语言时留下隐患. So, this situation also presents risk. 安全团队甚至可能没有意识到他们对这些遗留应用程序存在的漏洞一无所知, as they try to keep pace with DevOps.
The future of shifting left
When it comes to security testing phases, there’s still a heavy tendency toward QA. More is being done to integrate those protocols in the process, 但烘焙测试在很大程度上尚未发生重大变化.
- 在接下来的十年里, 团队可能会采用更多基于云的集成工具,比如AWS CodePipeline, Microsoft Azure DevOps, GitHub的行为, 和GitLab CI. 在这些情况下, the cloud provider is managing more for you, minimizing attack surfaces 和 providing more built-in security. 尤其是GitHub和GitLab,它们正趋向于更强的内置安全性.
- 在过去的十年里,Jenkins一直是持续集成工具的选择. 然而, 24/7运行在本地或云中以管理构建的特性, 释放, 和 patches can increase the attack surface.
- When it comes to container orchestration tools, 像AWS Fargate和Azure Container这样的云管理服务开始与Docker和Kubernetes这样的云托管服务并举. 外包控制点和强化责任正变得越来越有吸引力, so that security can shift further left into containers; it simplifies testing 和 helps ease deployment.
The future of shifting right
大约65%的时间,安全测试的责任由实际的安全团队承担. 然而,, 63%的时间是开发团队在管理纠正措施, 根据SANS. 这些数字表明,很大程度上孤立的行动阻碍了通往真正DevSecOps方法的道路.
衡量DevSecOps成功与否的最大标准是解决问题所需的时间. Aligning teams to tackle an issue in a speedy manner can make or break. 另外, 识别部署后的问题可以帮助改进左移控制,以防止这些问题逃逸到生产环境中.
100%的跨职能工作很可能不是每个组织都能实现的. 然而, moving closer to this goal could help strengthen teams, 提升士气, 并反馈关键的学习,最终提高成功的速度.
总之
Ironically, the biggest challenge of all isn’t technical in nature. 组织内部的繁文缛节可能会带来挑战,比如缺乏管理层的支持, insufficient budget (open-source tools can help here!),以及各自为政. 另外, 熟练工人的短缺可能会加强这些管理级别的旧决策模式.
当涉及到紧密的团队合作,并获得更多的时间来创新, 这通常是一种周期性的右移舞蹈,以提高你在左移时的努力. 例如, 你能进一步进入云端而不是自己动手构建吗, comprehensive solutions to security? 卸载可以帮助创建更多的控制,与DevOps一起加强安全性.
No one wants to compromise the integrity of deploying on time, particularly as it relates to customers 和 your company’s bottom line. 由Rapid7共同赞助, 在最近的SANS网络研讨会上,我们将深入探讨一项关于公司及其在DevSecOps方面的进步(或不足)的最新调查的关键统计数据.
