In January 2024, the New York Times experienced a significant breach due to an exposed GitHub token, resulting in the theft of 270GB of sensitive data, including IT documentation and infrastructure tools. This incident is just one of many examples that underscores the urgent need for robust security measures throughout the software development lifecycle (SDLC).
In today’s world, software developers are our source of product; they are the workhorses in a booming digital economy. However, the productivity demands placed on developers often lead to a deprioritization of SDLC security measures. For example, when VPs of Engineering give large developer teams broad permissions across a code repository in the interests of speed, they may inadvertently create a large attack surface vulnerable to a single compromised account.
DevSecOps, a term that encompasses the combined efforts of development, security and operations acting as one unit, is an urgent security requirement for any CISO. By breaking down DevSecOps into four essential pillars – identity governance, CI/CD governance, code governance and SDLC compliance – organizations are provided with a rubric for preventing SDLC breaches. This framework also helps define a new category of security for development environments, referred to as SDLC governance.
The Four Pillars of SDLC Governance
Securing an SDLC is a monumental task. It’s not a simple shift left from the cloud infrastructure. Rather, an SDLC environment includes code repositories, run time environments, artifact repositories, open-source code scanners, secret managers, CI/CD tools and much more. These are four pillars to comprehensively wrap our heads around the SDLC Governance problem set:
- Identity Governance: Ensure that each developer and service account has the entitlements needed to do their job – no more, no less. Implementing strict identity governance policies limits access to only what is necessary, reducing the risk of unauthorized access that can lead to breaches. Additionally ensuring that Insider risk and external identity risky behavior are rapidly detected and contained is critical to mitigate SDLC identity risks.
- CI/CD Governance: Maintain consistent security postures for integration and deployment tools based on the context in which the application is being deployed. This means understanding the bespoke needs of each application that CI/CD tools apply tailored integration and deployment procedures.
- Code Governance: Assign an identity, date and time for the import of every package in the repository. This includes monitoring for secret leakage, static application security testing (SAST) vulnerabilities and performing infrastructure as code (IaC) Terraform scans.
- Compliance: Automate continuous compliance detection and remediation according to the relevant standards. By automatically detecting compliance failures and remediating them in real-time, organizations can meet industry standards and avoid potential fines or penalties.
Before implementing an effective SDLC Governance model, engaging stakeholders across the organization is critical. CISOs should collaborate with engineering leaders, AppSec leaders, DevOps leaders and compliance officers on SDLC security and governance policies to ensure that all aspects of security are considered and addressed.
Framework Implementation and Overcoming Challenges
Strong leadership from the CISO is essential to successfully implement this framework. However, many of the challenges CISOs face are not technology problems—they are cultural problems. As the primary advocate for security, the CISO must conduct thorough research to understand the organization’s specific security needs and challenges. Engaging staff and functional heads, the CISO must present evidence of potential threats and develop policies that balance productivity with robust security measures.
One major challenge is a culture where CISOs may defer to functions where IT is a core competency, often presuming that they understand the security risks the teams are taking. Another challenge stems from the nature of high-growth technology companies, where aggressive growth targets push engineering teams to prioritize speed over security. This “go, go, go” mentality leads to governance and security measures becoming secondary concerns.
Embracing SDLC Governance for a Secure Future
While the challenges of implementing SDLC Governance can be daunting, the successes CISOs have achieved in securing cloud infrastructure demonstrate what’s possible. Consider the rapid evolution from on-premise security, which took decades to perfect, to the seamless adoption of public and private cloud solutions in just a few years. CISOs have been instrumental in this transition, bringing in numerous developer tools and helping push products quickly. Not to mention, CISOs never get credit for all the breaches that don’t happen, yet they remain on their toes and are willing to talk to innovators to find solutions. Because of their work, I truly believe this industry can solve anything.
As businesses across all industries now rely heavily on software development, the urgency to integrate security into the DevOps process has never been greater. The nefarious attacker continues to experiment and exploit weaknesses in critical infrastructure. The recent battery of SDLC-focused attacks highlights the need for robust security measures in the manner in which software is built. It’s no longer sufficient to only protect the cloud in which the application is hosted.
If you’re waiting for the ASPM market to shift left, I’d offer that SDLC Governance is too complex for it to be done comprehensively by a typical cloud security provider. DevSecOps is its core competency and requires specialty tools and services to secure. Now is the time to engage your SDLC stakeholders and begin the journey of securing your development pipelines — the future of your organization’s security depends on it. Implementing an SDLC Governance framework that encompasses identity, CI/CD and code governance, as well as compliance will ensure that security is an integral part of your development process, safeguarding critical assets and fostering a culture of shared responsibility.
