By Michael Johnson, Business Leader
The business of hacking has reached maturity. Data has become “the new oil,” and its value has drawn the attention of organized crime and other professional hacking groups. As a result, the threat level of many hacking groups has increased dramatically as breaking into computer systems has become a profitable business.
In the aerospace and defense industries, the value of the data stored on computer systems is significant. Even if data is not considered classified as a matter of national security, the value of an organization’s intellectual property can be what determines their ability to remain profitable and operate in the space.
Traditionally, attackers have had the advantage in the cybersecurity space. They often have access to specialized talent, time to spend on analysis and testing, and an unfair asymmetry in what is considered “success” compared to cyber defenders. However, by following DevOps principles and using its tools, a developer can shift the balance of power back in the direction of the defender.
The Cyber Attacker/Defender Asymmetry
Cybersecurity is a challenging field. The number of data breaches in the news each day demonstrates how difficult it is to adequately protect systems from attack. As data becomes more valuable, organized crime and other hackers are increasingly motivated to search for and exploit vulnerabilities in software.
Cyber defenders also have an unfairly asymmetrical relationship with hackers. When attempting to secure a system, a cybersecurity practitioner needs to identify and remediate every possible vulnerability in every application and system. On the other hand, a successful hacker only needs to find and exploit a single vulnerability to gain access to the protected network.
In order to secure their systems, cyber defenders need to ensure that any vulnerabilities that may be present in their software are impossible for an attacker to find. The use of vulnerability scanners and other penetration testing tools can help with this; however, they are often incapable of detecting vulnerabilities introduced by flaws in the design of the software or more buried implementation errors. Reducing the vulnerability of software to attack requires building security into the system from the very start.
DevOps: Improving Software Security
Developers have the responsibility of creating software that does not contain exploitable vulnerabilities. The complexity of most modern software makes this a difficult, if not impossible, task using traditional development practices.
With traditional design methodologies, software is often treated as a whole, with a large development team building the entire project as one piece. Typically, there is also a great deal of role specialization within the design process, with the development team being distinct from the testing team. As a result, testing only occurs near the end of the project by a team that may not have been involved in the development process and may have an imperfect understanding of the product. As a result, bugs and oversights go undetected in testing and continue on to production.
DevOps practices take a completely different approach to software development, taking advantage of the modern technology that is available. In the design phase, the purpose of the product is clearly defined, including the creation of user stories, and the design is modularized. Each module has a clear purpose and well-defined interconnections to other modules.
Once development has begun, code and tests are created in parallel by the same developer. As a result, test cases are created by an expert on the system and the code is developed in a way that ensures compliance with all requirements and tests. After a component is completed, it is managed used continuous integration and testing systems that ensure that each new submission to the code repository is correct and passes all tests before it is accepted. Any errors that cause code rejection can be identified and corrected rapidly, minimizing their impact on the development process.
Secure by Design
Using DevOps methodologies for product development provides the developer with the tools and techniques needed to overcome the asymmetry between a cyber defender and attacker. The level of product understanding necessary to properly define requirements, create user stories, and write unit tests for software dramatically increases the probability of an oversight that would introduce a design vulnerability. The development of testing code in parallel with product code ensures that tests are written by the most qualified individual available and, if done properly, makes it extremely unlikely for an implementation error to continue to production undetected. By making full use of DevOps tools and techniques, developers can give cyber defenders a significant advantage in preventing and mitigating cyber attacks.