DTNA 2018: Many CSPs don’t know what DevSecOps is and that’s a problem

Dawn Bushaus, Managing Editor, TM Forum is at Digital Transformation North America and Action Week this week and will be sharing her insights and observations throughout this week. Here she looks at what is being said about DevSecOps. Read on.

In 2017, the US Federal Bureau of Investigation logged over 300,000 complaints about cyberattacks that when added together have cost companies an estimated $1.4 trillion. Communications service providers (CSPs) know this is a problem – 71% have reported an increase in cyberattacks over the past year – but they may not be doing enough to fix the problem, according to Paul Fox, AT&T’s Assistant Vice President, Technology, who gave a keynote address here in Dallas at Digital Transformation North America.

“We as information technology professionals need to make sure that when data is breached, it is not breached in a useable format,” Fox told the crowd of more than 275 attendees from 85 companies, almost half of them from CSPs.

Fox began his presentation by conducting a Slido survey of attendees, asking them whether their company is embracing DevSecOps. While 44% said they have implemented it or plan to, nearly a third of respondents answered that they don’t know what DevSecOps is. This is troubling because of its importance in software-based networks.

What is DevSecOps?

Put simply, DevSecOps is DevOps software development with security baked in from the outset.

“It’s where we embed security requirements through the entire lifecycle – we handle it upfront in requirements, design, development, testing and operations,” Fox explained. “But DSO is not just about coding. It also includes things like threat modeling and risk assessment, as well as automation and analytics.”

What’s the biggest concern?

Fox polled audience members a second time, asking them to list their biggest security concerns. Results were presented in the form of a word cloud, which showed that data and customers are foremost in people’s minds. This isn’t surprising, according to Fox, when data breaches are in the news so frequently.

What are the benefits of DevSecOps?

Embracing DevSecOps promises many benefits, including faster time to market with new products and services.

“It’s more reliable because in DevSecOps you create this structure to manage, monitor and deploy your security fixes, which means you can recover faster from a security breach because you’re already set up to include it in the process,” Fox said. “It’s also going to help you win in the marketplace [by speeding time to market].”

How to embrace DevSecOps

Today, many CSPs are missing opportunities to improve security. They are underutilizing the tools they do have and scan analysis is typically centralized and manual. Developers often ignore scan results, and run cycles are long.

According to Fox, CSPs need to embrace near real-time static testing and dynamic scanning should be performed early. “You need to give designers time to think like an attacker,” he says.

Operators also must increase penetration testing and design threat modeling. Fox advocates setting up “war games” for developers to create a fun competition to look for threats and potential breaches.

“We want security scanning throughout integration,” Fox said. “Typically scanning is done at the end of the process. In the future we want to iterate throughout lifecycle at each sprint.”