The 5 Top Challenges for DevSecOps to Address

It’s said that crime rises in times of social and economic upheaval, and this is certainly the case for cybercrime.

In a 2020 survey by VMware Carbon Black, 90% of security professionals reported an increase in the volume of cyberattacks and 80% said attacks had become more sophisticated. A recent study by Cybersecurity Ventures concluded that cybercrime would cost $6 trillion globally in 2021, climbing 15% per year to $10.5 trillion by 2025.

Given the increasingly sophisticated tactics of cybercriminals, businesses are finding it more challenging to implement security actions without slowing down development or impacting operations. Thankfully, DevSecOps tools are improving. There are currently around one thousand DevSecOps projects on GitHub, roughly two-thirds of them updated in the last 12 months. Meanwhile, CYREBRO observed a 730% increase in clients using our DevSecOps-related products in 2020.

Observing and detecting security threats during each phase of the DevSecOps pipeline is critical to protecting your organization from cybercrime. With this in mind, we present our top five current challenges for the DevSecOps toolset to address.

  1. Docker images

With 11.3 million monthly active users, Docker is undoubtedly the leading tool for automating the development, deployment, and running of applications inside isolated containers. But despite its agility, scalability, and portability, Docker poses some significant security challenges.

Namely, while Docker images make downloading and using containers easier by leveraging open-source libraries, 51% of these images have exploitable vulnerabilities, according to an analysis of 4 million publicly available images by cybersecurity startup Prevasio.

To reduce the risk, code repository scanning is often used in the hopes of detecting such vulnerabilities as well as misconfigurations and information disclosure. However, this often leaves users on an endless chase after vulnerabilities and misconfigurations.

  1. Misconfigurations

A security misconfiguration is a security control that has been misconfigured or not properly implemented, leaving databases or file storages unsecured or directly exposed. Not surprisingly, cybercriminals look for security misconfigurations that they can exploit to leak sensitive data.

Misconfigurations are the second-most common type of data breach after hacking, according to Verizon’s 2020 Data Breach Investigations Report. In to a recent survey of 300 chief information security officers (CISOs) by Ermetic, a cloud access risk security company, 67% of respondents said security misconfiguration was a top concern associated with cloud production environments.

In one recent case exposed by Dutch security researcher Jelle Ursem and DataBreaches.net, improper access controls left the medical data of more than 150,000 people exposed online in at least nine GitHub repositories. Incredibly, it took Ursem less than 10 minutes to find exposed medical data. All he did was search variations on simple phrases like ‘companyname password’ and ‘Medicaid password FTP’ to find potentially vulnerable hard-coded login usernames and passwords for systems.

  1. User identity and privilege management

User identity, together with privilege management, is becoming more complex for DevSecOps. Indeed, 77% of user identity-related incidents have user behavior anomalies as the root cause, according to CYREBRO’s observations.

Although many organizations have identity and access management (IAM) and privileged account management solutions in place, these are often insufficient for protecting cloud environments. Among the reasons for this are the accumulation of unnecessarily excessive permissions granted to users and applications for public cloud infrastructure deployments, lack of standardization, and continual shifts in privileges and roles.

Often, choosing which solution to opt for can be no less of a challenge, where the choice is often driven by the type of environment, whether mostly on-premise, cloud, or hybrid. But regardless of which solution is selected, it is important to note that what lies at the heart of IAM and privilege management-driven security incidents is user behavior.

  1. Software updates

The 2020 cyberattack on SolarWinds’ Orion IT performance monitoring platform was far from the first cyberattack on record, but it was one of the most notable in terms of reach. Around early 2020, suspected Russian state-sponsored hackers inserted malicious code into Orion, which was later sent out in software updates to tens of thousands of Orion users.

The code created a backdoor to Orion users’ IT systems, which the hackers were able to use to install malware to spy on unsuspecting victims including the U.S. Treasury and Commerce departments and possibly other government agencies.

The most important lesson from this incident is that software updates are no longer reliable for preventing attacks. Furthermore, it teaches us that no software can ever be completely trusted.

  1. Cloudification

The move to cloud is continually accelerating, with the global SaaS market expected to reach $145 billion by 2022.

The benefits of cloudification include agility, scalability, and cost-efficiency, among others. But the risk is also clear: cybercriminals have become all-too-familiar with the vulnerabilities inherent in cloud computing and have refined their techniques for attacking cloud systems and web applications.

Between January and April 2020, external attacks on cloud accounts increased 630% as millions of employees began working from home due to COVID-19 restrictions, according to the software security company McAfee. Meanwhile, 33% of cyber breaches observed by CYREBRO have occurred in multi-cloud or hybrid-cloud environments.

What DevSecOps Can Do

DevSecOps can do three key things to protect your organization from the challenges described in this blog post, namely – consolidation, compartmentalization, and accountability.

Consolidating security management solutions and enabling cross-platform automation is a key enabler for improving security. This is because “tool sprawl” and a lack of cross-vendor integration often serve as obstacles to effective cyber protection. Even if different systems are used – e.g., identity management from different sources such as cloud, AD, or SaaS – a single, unified zero-trust solution should be used for managing the organization’s identities.

To avoid the risk of falling victim to risky software updates, permissions should be compartmentalized and distributed. Furthermore, settings should be set as accurately as possible.

Finally, cybersecurity is not just about technology. It’s also about people. This is where accountability comes into play. The best tools for supporting accountability are big data analytics and artificial intelligence, which can be used for eliminating vulnerabilities, policy violations, and data leaks, as well as for detecting, preventing, and responding to breaches and attacks.

For more information, download our full Devsecops guide here.

Sign Up for Updates