By Andy Nallappan, Chief Technology Officer and Head of Software Business Operations, Broadcom Software
The rise in ransomware has unleashed a torrent of high-profile attacks disabling critical infrastructure and bringing major supply chains to their knees, adding to the uncertainty of an already chaotic pandemic era.
There were front-page attacks like Colonial Pipeline, which was forced to shut down 5,500 miles of pipeline after being hit by ransomware, as well as meat processor JBS Foods and software vendor Kaseya. Together, these attacks dramatically shifted ransomware conversations to places ranging from boardrooms to gas station lines.
Yet beyond these big-name incidents, ransomware’s reach was even more pervasive. While the total number of unsophisticated ransomware attacks that Symantec, as part of Broadcom Software, have detected and blocked has declined over the past 18 months, targeted attacks aimed at a single organization and seeking out high-value ransom are rising. Our threat intelligence report on “The Ransomware Threat” found that targeted ransomware attacks were up by 83% in that timeframe. Now is as good a time as any for a major cybersecurity wake-up call.
Making DevSecOps Work
When a separate cyber security team works outside the boundaries of the mainstream software development cycle, security becomes an afterthought, creating unnecessary gaps. In contrast, a modern DevSecOps paradigm establishes cybersecurity as a shared enterprise responsibility and shifts security practices to start at the inception of the software development cycle where there is greater opportunity for integrated protections.
While DevSecOps isn’t exactly new, the concept has been slow to take off in part because of organizational and cultural challenges. In most companies, the product and cybersecurity teams are separate, often with competing agendas. The product team designs product without regard to security policies while the security group promotes policies without the same concern for new functionality or time-to-market urgency. The friction puts the two groups at odds instead of fostering a partnership that bakes security into the product development stage, closing back-door access that hackers might easily exploit.
Widespread use of open-source code and cloud-based platforms like Github have also made some companies more vulnerable to cybersecurity risks. Developers are programming from laptops, often outside the tight security controls of the corporate network and Integrated Development Environment (IDE). Without a secure IDE along with robust processes for scanning and certifying any and all source code contributions, organizations are more susceptible to infiltration of malicious code used to perpetuate ransomware attacks.
Reorienting Your Culture
Through DevSecOps, organizations can eliminate unnecessary risks. There are several things to consider as you reorient culture and embrace a DevSecOps model. Here are just a few:
- Create a dedicated organization. The underlying principle underpinning DevSecOps: cybersecurity is everyone’s responsibility. At the same time, there still is a need for dedicated resources and management to create oversight and ensure practices are enforced. The DevSecOps team should serve as a bridge between cybersecurity and product developers and report up to the Chief Technology Officer (CTO) or Chief Product Officer (CPO). The team should be a partnership of experts who have the application knowledge, technical skills, and development expertise to talk both product requirements and cybersecurity needs.
- Embrace automation and monitoring. Invest in the resources, skills, and specialized tools to automate as much of the process as possible. Automating code scanning and critical segments of the Continuous Integration/Continuous Delivery (CI/CD) process will ensure consistency while reducing the possibility of human error. Over time, refine DevSecOps practices through use of AI along with loop-backs that explore how and why a security vulnerability was introduced into code to facilitate further refinements.
- Invest in training and awareness. Promote the importance of cybersecurity practices by building an enterprise culture where security is prioritized, not considered an afterthought. Offer corporate-wide training sessions, communicate regularly to boost awareness, and enlist executive sponsors.
- Standardize tools and processes. Having a standardized set of tools and practices is central to keeping everyone on the same DevSecOps page. Formalizing a standard IDE and set of scanning and monitoring tools will ensure code is consistently monitored for problems and potential blind spots are identified and subsequently closed.
Do not underestimate the importance of creating a culture and a structure for getting cybersecurity right. After a brutal year of rampant ransomware and other cybersecurity attacks, customers are adamant about limiting their exposure by aligning with software vendors that follow proven and auditable cybersecurity best practices. DevSecOps will create a competitive advantage, positioning your enterprise as a more reliable and trusted partner.
Learn more about how Broadcom Software can help you make DevSecOps work
About the Author:
Andy Nallappan is the Chief Technology Officer and Head of Software Business Operations for Broadcom Software. He oversees the DevOps, SaaS Platform & Operations, and Marketing for the software business divisions within Broadcom.