DevSecOps Could Have Prevented the Equifax Breach
Earlier this month, major credit-reporting agency Equifax announced that it had experienced a cyber security breach involving more than 143 million US consumers’ financial data and personal information. A well-published vulnerability in Apache Struts (CVE-2017-5638), which powers some of its web-facing applications, was not patched for months in Equifax applications, and this vulnerability allowed hackers to exploit critical systems holding data such as credit card numbers, personally identifiable information, names, addresses, and Social Security numbers.
Equifax has said it did not detect the breach for nearly two months. In the following days, investigators identified a host of additional problems at Equifax systems across the world.
As we continue to survey the damage to Equifax, credit card companies, and the financial security of millions of American consumers, two things become clear: This was an entirely preventable IT security disaster, and this could happen to nearly anyone at any time.
Exposure of your organization’s private data can lead to financial distress, brand damage, and legal implications if organizations are found neglectful of protecting legally mandated information. If you’re worried about how you can prevent an IT disaster of this scale at your own organization, there is an answer: DevSecOps.
DevOps encourages collaboration and communication between development, operations, and everyone else in the software development lifecycle, but in my experience, most organizations fail to integrate security into their development efforts. DevSecOps is a growing movement to incorporate security into DevOps practices to ensure loopholes and weaknesses are exposed early on through monitoring, assessment, and analysis so that they can be fixed far earlier than traditional efforts usually allow.
For years, the cyber security community has been pushing the adoption of DevSecOps practices as a key to the identification and rapid remediation of vulnerabilities in custom-built applications. Software can be delivered earlier with fewer quality defects and security vulnerabilities. By integrating security tools into the DevOps pipeline, your organization can analyze every library in use by your system, identify which libraries have vulnerabilities, block developers from utilizing vulnerable binaries, and provide mechanisms for automatically upgrading to a secure library.
DevSecOps provides a number of benefits among development, security, and operations. It eliminates silos, promotes collaboration and teamwork, and identifies vulnerabilities early while still providing better, faster delivery. DevSecOps also contributes business value through dollars and resources saved, improved operations, diminished security threats, reduction of rework, and increased quality through automated testing, as well as the delivery of projects and products early and often with less cycle time to the customer.
In short, we can spend more time adding value to our end customers and less time and money fixing security vulnerabilities identified in preproduction or dealing with the fallout of security exploits in production. It’s time to get past continuous integration and continuous delivery and start thinking about continuous security.