The UK government isn’t the only organization encountering issues between data security and app development. The pandemic is also putting pressure on businesses to develop and release apps at an increasingly rapid pace in order to meet demands for continuity. As a recent global report shows, business app sessions have increased by 105 percent in Q1 2020 compared to the same time last year. This surge, combined with the acceleration of digital transformation initiatives, means security’s priority status is under threat; right now, development teams’ focus is on releasing the next new set of features. So, with DevOps now front and center of innovation across the business world, how should security teams engage with developers?
Partners in anti-crime
Many security teams are responding by making efforts to establish more effective partnerships with their DevOps counterparts. Some, for example, have focused on providing security solutions that make it easier for app developers to render security inherent to their apps. In many cases, this means providing developers with easily digestible security capabilities that can be easily incorporated into their automated processes.
However, some of these features are easier to incorporate than others. For example, code scanning tools can be added relatively easily to app development processes, preventing code with known viruses, bugs, or other issues from being incorporated into the framework.
Some security testing can also be automated, so that development frameworks automatically reject coding that fails and security checks are embedded in wider development processes. Unless a problem is detected, this ensures checks have minimal impact on individual developers writing their code.
That being said, the area of secrets management is a little more challenging.
The keeper of keys
Secrets management, in basic terms, refers to the management of authentication credentials. This category includes passwords and tokens that allow users to access applications, services, and other sensitive parts of an IT ecosystem.
Secrets management is potentially disruptive as it can impact each developer when they program and update apps to access sensitive resources. In this case, the developer needs to ensure each app securely accesses the resource using privileged credentials. So, when the app is in use, it needs to authenticate to the ‘digital vault’ – a secure location containing privileged credentials – and fetch the necessary information to access the resource. A newly written application, for example, will need to be coded in a way that allows it to obtain the credentials from the secrets management solution, which in turn must know to authenticate the application.
One emerging approach we’ve seen security teams adopt is to provide developers with a self-service solution. These allow developers to provide the apps they’re writing with secure access to databases and other resources more easily.
Streamlining with self-service
At first, it might appear simpler for security teams to work directly with the developers and update secrets management solutions themselves. Afterall, this would allow them to ensure each new app can use the secrets management solution successfully. While this can work in a small team, an enterprise will have too many apps and likely many more programmers developing apps than a security team can handle manually. In that case, self-service becomes a necessity.
As an example, one of our enterprise customers operating in the retail space needed to rapidly and cost-effectively deploy new customer applications to compete with online retailers. The security team wanted to ensure applications securely accessed databases. This meant deploying a secrets management solution that could secure the core application functions used by the business (such as inventory, procurement, stores, and in-store pickup).
The business’ developers were great at writing apps. However, with over a thousand developers and only a small security team, security was concerned that they would be overwhelmed and become a roadblock, negatively impacting the deployment of apps. So, the retailer implemented a self-service solution.
The solution could automatically update the secrets manager’s policies. Then, with the updated policies in place, the secrets manager only allowed approved apps to securely access databases. Once it was set up, the solution could handle developers’ requests for app approval to access databases securely, only involving the security team where needed.
In another example, the security team at a financial services customer with a large number of applications wanted these applications to request secrets based on strict policy. However, security didn’t want to force the development teams to write security policies. So, to streamline the process, the company chose a self-service solution to automate the approval process. Now, when the developer’s request is approved, the security policy is automatically updated.
Secure development meets rapid deployment
App development must be a highly efficient process; developers don’t want to work with solutions that take up unnecessary time. This means that a secrets management solution simply won’t be adopted if developers are dependent on security to update the access policies, or equally, if they’re forced to write the policies themselves.
When done incorrectly, organizations can experience significant developer pushback, poor levels of adoption, and either delays in app deployment, or apps that don’t access resources securely. The self-service approach avoids all of this by facilitating developer productivity rather than inhibiting it, becoming a win-win for both developers and security.
Self-service secrets management not only helps security teams build a partnership with developers, but also enables organizations to ensure the security of their applications.
Given these benefits, as enterprises with large portfolios make their digital transformation journey, they will likely turn more towards self-service approaches. Developers are therefore provided with an automated way to supply applications with secure access to sensitive resources. Similarly, at times when normal business practices shift dramatically to fit a new working environment, app development teams can deploy apps at speed without worrying about security issues.
Josh Kirkwood, Solutions Engineering Manager of Advisories, Cyberark