What is Continuous Security And Why Is It Important?

Executives across every industry and company size have made cyber–security a top priority. This has not just driven the adoption of new technologies, but created an overall mindset shift to proactive cybersecurity – the understanding that strong defensive and response lines are not enough. We must start where 9 out of 10 breaches start: the code. However, this focus on delivering better security through code, or as it’s better known – application security – extends beyond just the lines of code, to anything the code touches, from the tech stack configurations in the containers and firewalls to access protocols and redundancies.

This complexity continues as organizations embrace the CI/CD approach as more than just a tech stack, but a philosophy to deliver on digital transformation. While it ensures the continuous integration, delivery, and deployment of code, meeting most current business needs, it also introduces more variations and questions that need real-time responses from security to reduce errors while maintaining project velocity. Unfortunately, as an extension of the Agile and DevOps transformations, the adoption of CI/CD pipelines further siloed security as processes fail to keep pace. Continuous Security: In software development, is the practice of automating and orchestrating the deployment of an application security program to enable dynamic delivery of security requirements in the SDLC in response to internal and external changes, so secure code can be shipped reliably. Continuous security means having code that is always ready to ship and ensuring teams keep shipping code without introducing new risk, guided by intelligent application security visibility and governance at the critical points in the pipe–line. Through the automation and orchestration of cradle-to-grave application security programs, it ensures a repeatable and reliable execution of security processes at every step of the software development life cycle (SLDC). By orchestrating each enterprise’s unique application security program, security teams capture centralized, automated governance, while development teams get the flexibility to manage security as part of their day-to-day workflows, unifying processes between DevSecOps teams. Continuous security provides organizations with the ability to remove bottlenecks by enabling real-time collaboration between development, security, and operations. By centralizing and automating security governance, the continuous security approach eliminates manual security processes to reduce product delivery risk. Organizations can confidently ship code that meets their product specific security standards, without sacrificing agility or velocity.

Security in the CI/CD Evolution

Our research found that only 30% of respondents cited manual processes as a bottleneck in the development process, which showcases an interesting divide between manual processes and all the things that result from them. While DevOps processes are typically highly automated, 55% report moderate or low automation of security processes. Further, at 61% of organizations, the feedback sharing process between development and security teams isn’t fully automated. Even so, most respondents (79%) report their security teams acknowledge and respond to feedback from development teams.

CI/CD focuses on the ability to continuously develop and deploy software that meets the most current needs of the business. However, without security integrated as part of this process, organizations are not able to account for the number of permutations of security requirements that rapidly evolve with changing business needs.

66.8% of security teams believe integrating security in the DevOps cycle is a top 3 priority (Forrester p17)33% of security teams say their organizations’ security solutions are mostly or completely integrated with seamless sharing of data between products/tools or integrated with custom or off the shelf APIs.

The Continuous Security Ecosystem

The problem is that security isn’t an option – it’s a requirement. Even in the smallest of companies, things like least privileged access, the ability to leverage a single identity store, and audit logs of user access are basic requirements no matter how large or small your organization may be. Any functionality required to securely implement, use, monitor and manage a software service or application shouldn’t be offered only as a bundled feature to help drive users to the highest license level offered. Security functionality should be available as add-on costs to any license offered. Implementing and supporting such functionality costs real money and users should pay a reason–able fee for them, but security functionality shouldn’t be used to push users to the highest licensing cost.

The CI/CD/CS

The next step in the CI/CD is to include security at every step of the SDLC. By extension, CI/CD/CS is the philosophy of continuously shipping software that meets the most current security standards for the business and accounts for internal and external change throughout the SDLC. An effective CI/CD/CS does not require full maturity of a CI/CD, but rather can be deployed in any SDLC with a commitment to three key principles:

Automation and Orchestration:  Stop relying on manual processes that slow the SDLC or become an afterthought. Automation and orchestration of the application security program as part of the SDLC is essential to make sure pipelines run efficiently.

Collaboration… but Segmentation: It may seem paradoxical, but delivering the segment of information to the appropriate stakeholder at the right time, without overwhelming all the other roles in the overall SDLC, ensures better collaboration so stakeholders know where, when, and with whom to direct their attention.

Embrace Imperfection…but Control for It: There is no such thing as perfect code, and therefore no such thing as perfect application security. When you have the ability to accept risk within the risk tolerance of the business, you know the right times to stop, and the times to carry on because you have other controls. Don’t let perfection be the enemy of shipped.

Different organizations have different risks to be accounted for, which means security must be aligned to business strategies and priorities. With end-to-end integration into the SDLC, continuous security supports CI/CD to improve productivity and time-to-market, while reducing the risks that might impact a particular business or even product-line. Software is inherently impermanent and organizations need to be able to continuously balance security, technical and business priorities to ensure they are maintaining their focus on what matters most: delivering value to customers and shareholders.

Orchestration solves the question of how to ensure each piece of software involved in the development and delivery of a software pipeline adheres to the security requirements of the organization. However, a team can only do that if the options to properly do so are available in the security tools used by the organization. Too many software vendors are holding security hostage to push their users to higher licensing costs, making them pay for unnecessary and unneeded features to get the security baseline required.

If only those with the deepest pockets can secure their software then we will continue to see data breaches, ransomware attacks and identity theft. Until the software industry stops treating required security functionality like optional leather seats, we will never see the true “shift left” in securing our digital services and infrastructure.

Want to learn more about how you can integrate AppSec in your Development pipeline?

Check out these top resources!