This article was originally published by Dataversity on August 23, 2022.
In the never-ending battle between business success and cybersecurity threats, enterprises have discovered a secret weapon. Developers, once the scourge of security teams, are becoming vital proponents of secure software. By tapping into open-source tools and public-key infrastructure (PKI), many developers are bringing data security into the earliest stages of development and taking greater responsibility for security-related decisions.
The need for secure software has never been more glaring. With businesses operating at the speed of the cloud, and new applications and services continually being added at the edge, the attack surface has grown. Threat actors have seized the opportunities presented by unsecure software to broaden the scope and increase the effectiveness of their attacks. Many have shifted the focus of attacks from delivering malware to compromising credentials, for example, and have taken advantage of distributed networks to launch supply-chain attacks such as the SolarWinds hack. And there is still the onslaught of ransomware, SQL injection, DDoS, and other attacks to contend with as well.
Although some organizations still give the speed of DevOps development and deployment a higher priority than data security, more companies are emphasizing that business requires secure software to succeed. And this begins with secure code. In a world where everything is connected but nothing is trusted, developers, along with the open-source and public-key PKI communities, can help restore a measure of trust in the integrity of software.
Solving the speed-vs-security problem
DevOps teams have always been built for speed. In a cloud-based business environment reliant on online and mobile transactions, developing software and getting it into the continuous integration and continuous delivery (CI/CD) pipeline as quickly as possible is often the key to competitiveness and, therefore, success.
But that approach also creates vulnerabilities, as software goes into production before data security teams can address any weaknesses. The long-standing process in many organizations of tacking security on after the development process – sometimes even after software is deployed – frequently proves to be too little, too late.
It’s not that the advantages of secure code haven’t been known. But in the pressure of the competitive business environment, speed has taken precedence. Now, however, more and more developers are giving it priority. And they are doing this with the help of two things that have always been bulwarks of innovation and security: open-source development and PKI. Together, they can help improve code security while adding speed to the security process.
Open-source tools enable secure development
The open-source community has always been at the forefront of innovation. Making source code available and inviting any and all capable developers to collaborate – inspecting, modifying, and enhancing the code – has proven invaluable in creating cost-effective and highly functional software. It’s been used extensively for anything from test automation to a wide range of popular open-source software, such as GNU/Linux, the Android OS, Mozilla Firefox browser, and Apache Web Server.
Developing software in an open-source model, as opposed to proprietary development where source code is kept under wraps, has also benefitted from a kind of security through visibility. Although open-source software is not un-hackable, the transparency of the development process enables developers to more easily discover and correct bugs as they crop up.
Open-source tools from groups such as the Open Web Application Security Project (OWASP), as well as a lot of other organizations, are shared to help develop secure applications. Software such as Bouncy Castle – a lightweight, FIPS-certified open-source cryptographic API for Java and C# – allows developers to integrate cryptography into their application code, for example.
There are also open-source tools that enable developers to make the best possible use of PKI, which is already the most commonly used infrastructure technology for data security, with an established set of standards.
How PKI accelerates secure development
Teams are increasingly relying on PKI and machine identities to build, deliver, and run applications securely. PKI, which secures communications by using digital signatures to authenticate identities, software, and devices, is an effective tool for bringing security into DevOps. And a number of open-source tools can help enable the process.
EJBCA, for instance, is an open-source certificate authority that provides lifecycle management. Ansible, using easy-to-understand YAML, automates the installation and configuration of software, a cornerstone of DevOps environments that use infrastructure-as-code. Another tool, the Jenkins automation server, can automate the deployment of certificates and keys, which can help unclog bottlenecks in a CI/CD pipeline.
AppSec and ops teams are relying on PKI and machine identities to build security into applications. Automation tools can help ease bottlenecks in the CI/CD process by automating certificate management. In addition, automation can help deal with the exploding growth of machine identities. This category includes connected IoT and mobile devices, software-defined applications, cloud workloads, virtual machines, containers, and even the code running on them. Connected devices on the internet outnumber humans by more than three to one, and they’re still multiplying. The number of certificates and keys involved has been growing along with them, and automation tools can help manage those identities.
The business of cybersecurity
In today’s highly distributed and connected environment, cybersecurity is a business decision; it can no longer operate as a separate function within the enterprise. The viability of a business requires trust, and that begins with secure code.
The open-source community provides DevOps teams with readily available, easily adaptable, and highly scalable tools to enable secure development from the start. Using PKI, machine identities, and automation maintains security and adds speed and efficiency to the process.
By making use of open-source and PKI tools, developers are playing a greater – and essential – part in building security into the foundation of modern business. Enterprises’ secret weapon was there all along. Now, they are starting to make use of it. Finally, organizations will no longer have to make the tradeoff between speed, innovation, and security.