No Matter Your Perspective on Cybersecurity, Need for SecDevOps is Evident
By Frank Downs
Cybersecurity, as a field, is viewed through many different lenses, depending on where a professional works within an organization. For example, lawyers and auditors often view cybersecurity as a compliance issue. These professionals are heavily concerned with procedure, policy, and performance, ensuring that individuals within their organizations are leveraging the appropriate mechanisms and following prescribed procedures while avoiding any types of actions that may place the business in jeopardy.
For the penetration tester, cybersecurity is viewed as a challenge – something to overcome, defy, and subvert. Specifically, most penetration testers receive greater benefit and compensation depending on how successfully they subvert an organization’s protective mechanisms. This stands in contrast to many incident responders who value constant awareness and monitoring through leveraging firewalls, updates, patches, and local system security mechanisms.
While all these different slices of cybersecurity have focuses unique to their work roles, almost all cybersecurity professionals universally appreciate secure development operations, also known as DevSecOps or SecDevOps. The global appreciation of SecDevOps is rather obvious when examining cybersecurity holistically.
Specifically, SecDevOps can be defined as the application of security considerations into development operations throughout the lifecyle of the product. This is somewhat unique in the field of development, as previous generations of technical development prioritized functionality and customer ease-of-use over security. This previous mentality, while understandable, is a serious cause for concern and presents threats to the users of these underdeveloped products.
As SecDevOps has grown in prominence, it has become an overlying consideration for most of the cybersecurity community. Specifically, all members of the field agree that building security into customer offerings from start to finish ensures a more secure product evolves over time.
For example, leveraging SecDevOps into a Software-as-a-Service (Saas) offering lowers the level of potential web vulnerabilities for users. This, in turn, can help stave off many of the OWASP Top 10 related exploitations that are prevalent online.
Additionally, leveraging SecDevOps into Internet of Things (IoT) products can decrease the potential number of pivot points which attackers can leverage, should they gain access to a victim’s network. Even leveraging SecDevOps into things as mundane as a Bluetooth receiver and transmitter development can protect drivers from potentially losing control of their vehicles.
One of the most recent examples of SecDevOps failure was identified by Google’s Project Zero team when it conducted a security review of the Apple’s iPhone and discovered “five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.” These exploits made iPhones vulnerable to several hacked websites online. When iPhone users visited these sites, monitoring implants would be installed on their phones, sending data to the online miscreants responsible for the hacks. The information sent to the attackers could include personal and private data such as iMessages, photos, and GPS information – all of which could be sent to the hackers in real-time.
Although initial reports speculated that the impact of the vulnerabilities were in the range of billions of users, in truth, the actual websites that were responsible for implanting the monitoring software only received a few thousand visits a week – a far cry from most mainstream internet sites – thus reducing the potentially exploited population drastically.
While the actual impact of the monitoring implant attack is probably low for Apple and iPhone users, it goes without saying that had Apple better performed SecDevOps, the likelihood of these dangerous exploits gaining purchase in the first place would have been much lower.
Indeed, many cybersecurity professionals understand that while the level of actual exploited iPhone users may have been relatively low, the level of vulnerable users was uncomfortably high.
Through using SecDevOps in the development cycle, Apple could have better prepared and mitigated this vulnerability before it ever occurred. Yet, until this universally approved development process is globally adopted, more hacks will occur with more users put at risk.