Vulnerability Management and DevSecOps with CI/CD

In 2018 90% of financial institutions reported being targeted by malware and globally ransomware attacks increased by 350% that same year. In 2020 Twitter, the hotel chain Marriott, MGM Resorts, Zoom, and Magellan health all reported some form of a security breach [1]. These statistics demonstrate the importance of security and vulnerability management. Organizations need to make security a part of their development process. Let's break this down.

High adoption of DevOps

Development is the process of writing and maintaining code. It includes all the activities that are required to think of software or feature and then bring it into the 'real world' for its intended users. Operations or IT Operations refers to the set of activities that are performed by the IT department of an organization. The IT department defines how an organization's software and hardware are structured, maintained, and managed. Development requires software tools and the right hardware. Hence development and IT rely on each other. DevOps is an approach to software development where instead of functioning as two separate siloed teams, Development and Operations function as one team across the lifecycle of an application. Recognizing the benefits of this approach, most organizations today use a DevOps model.

See also: The 2020 State of Software Delivery 

The need for DevSecOps

However, one important area that is not covered by the DevOps model is security and this has given rise to the need for DevSecOps. Security vulnerabilities can appear at several points in the DevOps pipeline. Conventionally, security was added to software at the end of the development lifecycle but just as the approach to development and operations evolved into DevOps, there is a need for new approaches to vulnerability management. Security must become a part of development. A system that takes into account development, operations, and security as a continuous process is referred to as DevSecOps. Security is integrated into all the stages of development design, integration, testing, deployment, and delivery. DevSecOps allows organizations to address security issues as they emerge. Issues can be tackled while they are easier to fix, less expensive, and before they reach production and cause harm.

In this ebook by CircleCI you can find information on how modern developers and DevOps practitioners can use CI/CD to adopt a DevSecOps approach to vulnerability management.

Source:

1. n.d., '2021 Cyber Security Statistics The Ultimate List Of Stats, Data & Trends', Purplesec [available online] available from: https://purplesec.us/resources/cyber-security-statistics/ [accessed Apr 2021]