Securing Digital Infrastructures

What Is DevSecOps, and Why Is It Important to Security? 

Secure development’s role in organizations’ digital transformation initiatives

Nandita Bery
Samantha Goyagoy
What Is DevSecOps, and Why Is It Important to Security? 

DevOps has been helping teams to embrace automation and achieve scale for years now, however in this approach, security might be relegated. Practices like hardcoding credentials/passwords directly into applications can make coding easier and faster but are risky and can get out of hand fast. As many organizations continually expand their cloud portfolio, from hybrid multicloud and data centers to virtual environments and more, the constant monitoring of code has become more crucial than ever.  

Developer environments, as evidenced by recent attacks, are on the radar of threat actors. The SolarWinds hack highlights how the supply chain can be vulnerable to threats that seep through connected ecosystems. [1] In this case, threat actors gained unauthorized access to the SolarWinds network and led the company to unwittingly send updates with hacked software code to its customers. The attack demonstrated the sprawling challenges of poisoned origin and consequently trust in the software. 

Discover the future of digital leadership

This analysis explores the technology trends accelerating digital infrastructure change that is driving the need for an interconnected approach to help businesses deliver new capabilities for the digital world.

DOWNLOAD THE VISION PAPER
The future of digital leadership

But what if security was integrated into the development of digital infrastructures? Enter: DevSecOps. 

DevSecOps (an approach to security culture that combines development, security, and operations into a single discipline) and its emphasis on security testing and assessment aims to address security issues that traditionally might not be discovered until the software is rolled out to the public. It complements the push for secure software development lifecycle (SSDLC) in many organizations like Equinix, which empowers developers to have more ownership of their applications, catch security issues earlier, and lower costs in mitigating them. This lessens the susceptibility to infection in internal networks that end up in the delivered product. 

“Shifting left” — the concept that represents how security involvement should happen earlier in the process, as early as the design stage — is beneficial in building trust among stakeholders. It can also be a crucial factor in complying with industry standards such as the National Institute of Standards and Technology (NIST). [2] 

Developers and Software: What’s to Come 

Businesses today — whether in the business of information services, retail, or manufacturing — are operating as digital providers in some way, shape, or form that requires their operations be developed with a digital-first strategy. Infrastructures are poised to be developer-led and software-defined, enabling organizations to efficiently deploy IT infrastructure while advancing DevOps enablement. The 2023 Global Interconnection Index (GXI) also provides insights into software-defined infrastructures as key drivers in adapting to technological advances, economic uncertainties, and security implications that organizations will be facing in years to come. 

Some see security as an impediment to innovation and app development, but the times, they are a-changin’ — it’s undeniable that the ever-evolving landscape calls for security to be at the forefront rather than an afterthought. 

Developers have the de facto responsibility to secure the software they build and maintain, and thus are accountable for it. However, security teams are also responsible for providing that guidance to developers in protecting their software.”

Organizations aren’t the only ones who can “shift left.” As the threat landscape goes, cybercriminals follow suit by targeting developers and their build systems as entry points for attack campaigns against infrastructure-as-code (IaC) deployments, Kubernetes environments, and supply chains. 

So, who is responsible for security? The reality for end-users is that there is only so much they can do with the built-in security measures an app/product has. This gives developers the de facto responsibility to secure the software they build and maintain, and thus are accountable for it. However, security teams are also responsible for providing that guidance to developers in protecting their software.  

It should be embedded in the culture that developers see themselves as part of the security solution by putting even more care into their coding practices. This cultural shift should mean fostering an environment that allows them to do just that. It all boils down to team collaboration; after all, we all just want secure, reliable products.  

Secure Software Development Life Cycle (SSDLC) at Equinix 

In the ongoing concerted efforts by Equinix to shift security left, we’re driving increased collaboration between developers, operations, and security teams through a program called NEXTcode, which is a company-wide effort to incorporate security into every phase of the software development lifecycle and its infrastructure, enabling the necessary security tools for scanning and remediation, as well as provide secure coding training, support, and guidance if they need it.  

Security in DevOps

The NEXTcode Developer Security Certification program is aimed at training and enabling the developer to use secure coding practices as well as establishing an ongoing education and hands-on training platform to support the needs of our developer community. The first phase of this program focused on the OWASP Top 10, which provides a deeper understanding of the most critical security risks facing web applications today, followed by secure coding and code repository best practices.

Furthermore, our global cybersecurity awareness program allows developers to take advantage of resources and training available to tackle secure coding concepts and practices, including code reviews/scans and capture the flag (CTF) games.

We see training as necessary in of security disciplines in application development, adhering to standards, and practicing security fundamentals such as:

  • Understanding the shared responsibility model
  • Adopting the principle of least privilege
  • Having the knowledge to remediate code findings if they occur
  • Understanding the developer’s responsibility toward open-source code

We continue to make strides in innovating and securing our infrastructure to ensure we’re giving the most reliable and scalable services to our customers — and that includes equipping developers and security teams to be key figures in building software- and security-defined products. This move toward SSDLC is important in supporting Platform Equinix and collaborating with enterprise customers to securely drive their digital infrastructure projects.

Learn more about making digital infrastructures future-ready in the Platform Equinix Vision Paper (PEVP).

We discuss more of how organizations can prevent security risks and secure their digital infrastructures from attacks in our blog post on zero trust security and zero touch security.

 

Thanks to Alex Armstrong for providing much-needed insights into the Equinix Developer Security Certification Program.

 

[1] TechTarget, “SolarWinds hack explained: Everything you need to know.” June 2022.

[2] National Institute of Standards and Technology, “Technical Guide to Information Security Testing and Assessment.” September 2008.

Nandita Bery
Nandita Bery Director of Awareness and Education, Infosec Team
Samantha Goyagoy
Samantha Goyagoy Content & Development Manager, Infosec Team
Subscribe to the Equinix Blog