The Missing Piece in DevSecOps

Introduction and Summary    

DevOps ways of working is creating great business values for companies. It also creates new requirements, challenges and opportunities for the cyber security practice, which is evolving towards what is often called DevSecOps. While the exact definition of DevSecOps vary, the core is the same; DevSecOps is about embedding Security into DevOps ways of working.  

While DevSecOps offers great potentials, it is also a challenge in practice for many CISOs and DevOps teams. To make DevSecOps practically viable, automated tooling has a key role. Today, companies typically leverage several automated tools. However, they are to a large extent separate silos that identify separate lists - most often long lists - of risks and vulnerabilities. This creates complexities, inefficiencies, costs, and risks, and do often slow down DevOps organizations.   

A key capability has been missing in the toolset. A tool that “connects the dots”, providing an automated capability to cut through complexity, and continuously identify, contextualize and prioritize vulnerabilities, risks and mitigation actions from a holistic perspective. A capability that enables DevOps teams to get continuous insights on key questions as “Are we secure enough?”, “What are the weakest links?” and “What of all things possible should we do to improve our security posture?”. And enables the CISO function to get a crucial overview and tracking of the security risk posture and get pin-pointed insights when and where needed.  

This capability is now available and is being leveraged by leading CISOs and DevOps teams in practice!  

This text provides foreseeti perspective on the state of DevSecOps, and describes how automated threat modeling and attack simulations provide a central capability that unlocks the full potential of DevSecOps. It includes the following sections:        

• The DevSecOps Challenge  
• The Current State of DevSecOps workflows and tooling  
• The Missing Piece: The need for a new capability to continuously cut through complexity and “connect the dots” - to identify, contextualize and prioritize vulnerabilities, risks and actions in a holistic way 
• DevSecOps with securiCAD: Empowering DevOps Teams and CISOs by continuously connecting the dots, providing insights that unlocks the full potential of DevSecOps

The DevSecOps Challenge  

DevSecOps is in fact a major evolution of the cyber security practice. So, before going into details on current and future workflows and tooling, let’s take starting point in the overall business perspective. In the overall requirements, challenges and opportunities that DevOps and DevSecOps brings to organizations, CISOs and DevOps teams in practice.  

Let us explore a typical illustrative example:  

An organization - DevOpsCo - has a DevOps way of working. It could have two, ten, fifty or even hundreds of DevOps teams. Each team is Developing and Operating their part of the overall company system environment. It is not uncommon that one team push several releases per day. And each release naturally have an impact on the security posture of the environment. And not only on the team’s environment, but also on other teams’ environments and the total infrastructure.  

This small illustration does in itself illustrate both how important it is to embed Security into the DevOps work flows to make DevSecOps practically viable and the magnitude of the challenge. But this dynamic is just one part of the challenge.  

A longer list of key challenges includes the following:   

• Multiple DevOps teams all makes frequent releases, and each release impact both their own team’s, other teams’ and the total organization’s cyber security risk posture. 
• It can very easily happen that teams make security mistakes. Just one example of this, is how easy it is to make mistakes in terms of setting up IAM policies. In both cloud environments and on-prem environments it can very easily happen that IAM is set up in a way that grants too much/ wrong access that creates weak security postures and high business risks.  
• In addition, there is the challenge to keep up to date with new vulnerabilities, security updates etc. and put them into context to what needs to be adressed to continuously manage risk over time.  
• DevOps teams are not the security experts. Even if we think that it would be great if they were, this will never be the case. It is actually not even desirable as it would require too much security resources.    
• CISO-function crucially needs mechanisms that both empower the DevOps teams with automated actionable insights, and provides the CISO function with a continuous overview, tracking and management of the cyber security risk posture.  
• We all live in a world of scarce resources. Identifying long lists of risks and best practices is a good starting point. But we truly need to identify what risks are key, what actions have the best effect, and when is our security good enough. This prioritization needs to be done from a holistic perspective. And it is not practically viable to do it manually, it is just too complex and time consuming. 

The Current State of DevSecOps Workflows and Tooling  

“Sec” in DevSecOps is a not a discrete step or phase, but an integrated part of the of activities required to deliver software or service in a secure fashion, as illustrated in the typical DevSecOps loop. 

Today different activities and tools of the AppSec program will typically attach to different phases of the DevOps loop. Security training of developers, design reviews based on threat modeling, design and code reviews as well as SAST tools like SonarQube for source code inspection are all part of the Plan and Code phases. In the Build and Packaging phases, you typically find security scanning of vulnerabilities in the supply chain dependencies through solutions from companies like debricked or Snyk. 

Moving into the Test phase, security testing is done and often automated by DAST tools, and from the Release phase and onwards a set of more traditional cyber operational tools are employed, including vulnerability scanners for the infrastructure, WAFs and various types of log monitoring and correlation tools including SIEMs. 

Interestingly, a perfect secure development process will still not be a guarantee against breaches of the application after it has transitioned into a live, deployed state. The application context, such as e.g. the Identity and Access Management (IAM) configuration will often be different from a test environment and is bound to change over time. Time will also cause changes to interdependent services and will cause new vulnerabilities to be discovered, both inside the application as well as in infrastructure on which the application depends. Time is clearly not on the defender’s side. 

Furthermore, continuous deployment into public Cloud environments such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform creates an even more challenging situation as both the control plane (asset management operations) and data plane (the application and related service assets) are available over the Internet and often delegated directly to DevOps team. 

And, maybe most importantly, the different tools are to a large extent separate silos. Silos that identify separate lists - most often long lists - of risks and vulnerabilities. This creates complexities, inefficiencies, costs, and risks, and do often slow down DevOps organizations.

The Missing Piece  

As described in the earlier sections; DevSecOps is the natural way forward for DevOps organizations. But it also imposes several quite significant challenges. To make DevSecOps practically viable, automated tooling has a key role. Today, companies typically leverage a number of automated tools for DevSecOps. However, they are to a large extent separate silos that identify separate lists, most often long lists, of risks and vulnerabilities. 

A key capability has been missing in the toolset. A tool that continuously:

• Contextualizes Risks. Yes, there are plenty of different risks. But what is the holistic risk exposure of my high value assets? Are we good, or do we need to take action?  
• Pin-Points Actions. Yes, there are plenty of ways that we can reduce risks. But what of all possible actions shall I prioritize? And what shall I not prioritize? It is simply not feasible to do everything everywhere.  
• Conducts Automated Attack Simulations.Yes, we should do these analyses continuously. By integrating automated attack simulations in your CI/CD, you can continuously analyze your posture. On digital twins, not to interfere with your environment.  

 These capabilities empower DevOps teams to get continuous insights on key questions as “Are we secure enough?”, “What are the weakest links?” and “What of all things possible should we do to improve our security posture?”. And it enables the CISO function to get overview and tracking of the security risk posture and get pin-pointed insights when and where needed. 

DevSecOps with securiCAD  

securiCAD is a leading tool for Automated Threat Modeling and Attack Simulations. It empowers organizations to leverage AI-based cyber-attack simulations to cut through complexity, and continuously identify, contextualize and prioritize vulnerabilities, risks and mitigation actions from a holistic perspective. Leading companies leverage securiCAD for automated security analyses from Dev to Ops, across industries such as military, banking, critical infrastructure, healthcare, manufacturing, connected cars, eCommerce etc.    

securiCAD fits very well into DevSecOps. In fact, it addresses the key challenges outlined above and provides the capabilities that we see is the “Missing Piece of DevSecOps” as of today!  

• DevOps Teams get automated and continuous insights on the cyber security risk posture of their environment. When the risk exposure is too high/ posture is too weak, they get automated insights on what are the weak spots in the architecture and suggested mitigation actions. The analyses can be fully integrated in the CI/CD pipelines.    
• CISO Function gets automated and continuous insights on the posture of the total environment. How does my overall risk posture improve over time? How do the different teams perform? How does the different teams’ environments interact, when/how does one team create risk for another team and provide that insights automated to the teams? 
• Automated and Continuous, throughout the DevOps Cycle. securiCAD provides fully automated in-depth analyses. It can easily be integrated in the CI/CD pipelines. And it is not interfering with your live enivironment as all the simulations are conducted on digital twins of your environents.  

The picture below illustrates how Continuous and actionable risk posture insights are continuously provided to both CISO-function and DevOps Teams.

Let’s dig into how it works.  

First, let’s explore the concept.  

securiCAD performs automated threat modeling and attack simulations on IT systems. The concept consists of three steps. The first step generates a digital twin model of your system environment. The second step is to simulate thousands of attacks towards the model, capturing all possible ways attackers can potentially reach your high value assets. Based on the simulations the third step is to provide the user with insights on risk levels, key risks and effective risk mitigation actions. The concept is further described in Figures below.  

Now, let’s dig into how it can work in a practical DevOps setting:  

In a DevOps setting, all of the steps are fully automated. Digital twins are automatically created from your available data sources. It can be cloud config data, together with vulnerability scanners, firewalls rules, traffic logs, AD, SIEMs and more. Simulations are then automatically triggered – e.g. directly after deploy or continuously over time. Insights are then continuously provided to both CISO function and DevOps teams. 

Using securiCAD as a continuous DevSecOps tool typically include the following fundamental concepts: 

• Input events to trigger analyses  
• A fully automated modeling and simulation workflow 
• Automated tracking of risk and time to compromise metrics 
• Output events to flag deviations from baseline and/or risk levels above threshold values 
• A way of doing root cause analysis to support remediation of findings, including a system of suggested mitigations, to improve your security posture in the most effective way 

Input trigger events are either synchronously driven by changes to the environment, by timer or both for each environment under securiCAD analysis. securiCAD can support many application teams and environments in parallel. 

In the simulation phase, a set of pre-designed scenarios are applied to each environment under analysis, where each scenario capture the placement of the attacker and the designated High Value Assets (HVAs). HVAs are the cyber security events you really worry about, such as confidentiality breach of a sensitive database. In Cloud environments, automatic setting of HVAs based on asset Tags or Labels is supported. 

Output events are published based on deviations from baseline for each individual scenario. The baseline is established by running a break-in period where the posture is manually analyzed and, if acceptable, declared as a baseline for automation. 

A Continuous Integration (CI) system - such as Jenkins, AWS CodeStar or Azure DevOps - is typically the centerpiece of DevOps workflows, automating the code quality analysis, QA, builds and the different deployment phases. When integrated directly into CI/CD pipelines, the CI system will be responsible for sending events to trigger securiCAD analysis. This would typically be based on a completed deploy to a certain environment (dev, UAT, prod).

securiCAD is assessing the “Analysis scope” by automatic modeling and simulation. It is important to note that the analysis scope is larger than the core Application as it includes other infrastructure components in the App context (e.g., Cloud databases or Virtual Machines) as well as the IAM and user aspect, governing the access to the application and its infrastructure. 

For a DevOps organization, the Application is the focus of more traditional AppSec measures, but the development teams are also often handling the App context and may even be allowed to make changes to the control plane itself as “infrastructure as code” (Terraform or Cloud vendor technologies). This means that each deploy can potentially change both application as well as environments in subtle but dangerous ways. 

For a given environment, securiCAD will hold a data series for each designated HVA and compare a new analysis result against a baseline score for the data series. If the result is outside of a configurable tolerance, an output event is generated. 

The output event can be subscribed to by the CI system for pipeline integration, blocking further deploy by e.g., preventing the process from deploying to prod if a baseline violation is found in UAT. 

For each finding signaling a material worsening of security posture, the securiCAD offers in-depth analysis tools to track the underlying reasons, this will allow pin-pointing things like dangerous changes in IAM settings, misconfiguration in firewalls and routing rules as well as determining that newly discovered software vulnerability create a systemic cyber risk. 

securiCAD plays an important role not only in the Deploy phase but also in the Operate and Monitor phase of the DevOps loop. Running securiCAD on schedule will continuously track the security of the entire Application context over time. This requires no specific CI integration but can be handled by securiCAD itself using scheduled jobs and a publish – subscribe pattern where notifications can be sent to designated recipients by email or by opening tickets in systems such as JIRA in the event of baseline violations. 

securiCAD naturally supports integrations in automated DevSecOps environments built in Cloud environments such as Amazon AWS and Microsoft Azure as it has standardized Parser support for automatic model creation as well as threat modeling systems tailored to these platforms, e.g., capturing attacker specific opportunities based on the intricacies of the complex Cloud IAM systems.