{"data":[{"id":643762291,"hub_id":94885,"type":"blogs","service":"blogpost","name":"Using Balanced Development Automation to Achieve Both Speed and Security for CMMC","title":"Using Balanced Development Automation to Achieve Both Speed and Security for CMMC","description":"CMMC is a means of unifying cybersecurity standards for the U.S. Department of Defense. Learn how you can achieve compliance with this new standard.","seo_title":"How Defense Contractors Can Ensure Compliance With CMMC","seo_description":"CMMC is a means of unifying cybersecurity standards for the U.S. Department of Defense. Learn how you can achieve compliance with this new standard.","url":"https:\/\/resources.securitycompass.com\/blog\/ensure-compliance-with-cmmc","thumbnail_url":"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYwZTRiMGFhMjE5MGMuanBnJnZlcnNpb249MDAwMCZzaWc9MzJiNTQ1NTViZWQ5MWQ5YjY3ODllZDdkNmQyYzNjMTQ%253D","canonical_url":null,"canonical_redirect":false,"mediaproxy_thumbnail_url":null,"avatar_url":null,"duration":null,"published":true,"featured":false,"hidden":false,"edited":true,"deleted":false,"content":{"embed_data":null,"published":"<p dir=\"ltr\"><img alt=\"\" src=\"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYwMDVhOWRmNzAzNWIucG5nJnZlcnNpb249MDAwMCZzaWc9NzhiYWVmNDA0YjJmZmRhYTQ1ZTExOTI4YzE2N2MzMjA%253D\" \/><\/p>\n\n<p dir=\"ltr\">With the introduction of the <a href=\"https:\/\/www.acq.osd.mil\/cmmc\/\">Cybersecurity Maturity Model Certification (CMMC)<\/a> in the U.S. as a means of unifying cybersecurity standards for the Department of Defense, organizations must consider the impact on their DevSecOps operational activities. There are many stakeholders to consider: business, development, operations, security, compliance, and risk. From a governance perspective, how do we integrate this standard with our DevSecOps teams?<\/p>\n\n<p>A lot of tools and processes traditionally lack a security perspective.<\/p>\n\n<p>Given the importance of software development in an organization today, the impact of operationalizing CMMC is not trivial. Many organizations rely on manual spreadsheets to keep track of compliance against standards and frameworks like CMMC. This approach is difficult for traceability and makes third party auditing a laborious process.<\/p>\n\n<p>Ideally, we want to provide a real-time assessment of the residual software security risk across a portfolio of DevSecOps projects while work is being performed. The goal is to utilize security as an enabler to help the business move faster while facilitating collaboration across multiple stakeholders. This type of approach can help business stakeholders make informed decisions.&nbsp;<\/p>\n\n<p>In this article, we will explain how <a href=\"https:\/\/www.securitycompass.com\/balanced-development-automation\/?utm_source=resources&amp;utm_medium=blog&amp;utm_campaign=FY20_Q4_contentlink\">Balanced Development Automation (BDA)<\/a> attempts to help address these pressing issues. This is an evolving category that is still being defined but addresses a missing gap in the landscape of DevSecOps tools today.<\/p>\n\n<p><iframe allowtransparency=\"true\" data-name=\"pb-iframe-player\" height=\"150\" scrolling=\"no\" src=\"https:\/\/www.podbean.com\/player-v2\/?i=7683p-f4c1d8-pb&amp;from=embed&amp;share=1&amp;download=1&amp;skin=1&amp;btn-skin=7&amp;size=150\" style=\"border: none; min-width: min(100%, 430px);\" title=\"Sesh Vaidyula &amp; Harvey Nusz - Impact of CMMC on Organizations\" width=\"100%\"><\/iframe><\/p>\n\n<h3>How BDA ensures security with speed<\/h3>\n\n<p dir=\"ltr\">Historically, DevOps teams were focused almost entirely on speed of delivery. Our tools were focused on increasing levels of automation and the continuous integration and delivery pipelines reinforced the importance of speed. With the introduction of security practices in DevSecOps, the challenge was in trying to integrate a practice based on security controls into a fast-moving delivery pipeline. The result was either security was left until the last minute, or it slowed down the delivery process &mdash; none of which was ideal.<\/p>\n\n<p>BDA tools focus on leveraging security proactively as a means of achieving speed to market. It is an ideal set of tools for environments driven by regulations or standards that involve multiple stakeholders.<\/p>\n\n<p>There are four key parts to BDA.<\/p>\n\n<ol>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Regulations and standards:<\/strong> BDA tools natively incorporate operational guidance for regulations and standards. Through APIs, other pipeline tools can ingest the relevant procedures and return results back to show completion status against individual clauses.<\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Just-in-time training:<\/strong> Secure development and operational hardening are critical. With the shortage of qualified resources, BDA tools integrate the right training which helps to ensure consistency at scale while moving at speed.<\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Secure coding practices:<\/strong> A lot of coding is done through searching code samples in the wild. Unfortunately, these code samples often do not follow secure coding practices. Providing these code samples accelerates the development time.<\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Risk assessment:<\/strong> The typical risk assessment process for this involves elicitation, analysis, and recommendations. BDA tools shorten the cycle time by filtering out the non-essential activities to achieve compliance for a given standard or regulation. The results are a policy-driven approach to threat modeling which helps accelerate the areas to concentrate on.<\/p>\n\t<\/li>\n<\/ol>\n\n<h3>Implementing CMMC through BDA<\/h3>\n\n<p dir=\"ltr\">Let&rsquo;s walk through an example of how BDA can help an organization attempting to achieve CMMC Level 2.<\/p>\n\n<p>We cannot walk through the entire process for a portfolio of applications but, for this example, let us assume we have a standalone Java application with a database. The simplicity of this architecture will allow us to focus on value creation in the compliance and governance process rather than the technology domain.<\/p>\n\n<p>A BDA tool would correlate the CMMC Level 2 guidance with the architectural constraints of the application to identify areas of risk. In this case, that means the intersection of a Java application with a backend database against CMMC Level 2 compliance requirements. The tool would identify the following policy from CMMC:<\/p>\n\n<p><strong>AC.2.007: Employ the principle of least privilege, including for specific security functions and privileged accounts.<\/strong><\/p>\n\n<p>Notice how this is useful from a compliance and security perspective. People in these teams are used to dealing with policies across the lifecycle (from policy creation to termination). However, handing this over to a developer or operations engineer is not prescriptive enough. There may be different ways to interpret what this means. The ambiguity surrounding this is not for lack of trying, it is simply speaking a different language between policymakers and engineers.&nbsp;<\/p>\n\n<p>What we need is more concrete guidance that contextualizes the above policy into a language that developers, operations, and engineers can understand and implement. As an example, a BDA tool would offer the following translation:<\/p>\n\n<ul>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Restrict access to tables and schemas that are needed.<\/strong><\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Restrict access to actions that are needed (such as select, update, and delete).<\/strong><\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Remove access to stored procedures that the application does not need.<\/strong><\/p>\n\t<\/li>\n<\/ul>\n\n<p>Notice how the words being used are contextual. Access control, database schemas, and stored procedures instantiate the high-level guidelines into easy-to-understand instructions (thereby reducing wasted time). This example can be further elaborated to contextualize against a particular database platform. The translation between a high-level security guideline and actionable tasks is a key value proposition of BDA tools. Speed and scale is achieved by integrating the requirements of various stakeholders and codifying with the BDA tool.<\/p>\n\n<p dir=\"ltr\">The work performed by engineers continues as they normally do, using the tools and frameworks they are familiar with. This limits the need to slow down and learn an entirely new tool.<\/p>\n\n<p>Once the engineers have completed their work, to ensure auditability, test cases need to be created. BDA tools provide sample test cases as an accelerator. The benefit of having this guidance upfront is that, by shifting testing to the left, we can start to create test cases much earlier. Additionally, the prescriptive nature of the test cases allows for the traceability of these test cases to the CMMC policy. Here is an example of the prescriptive output:<\/p>\n\n<ul>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Test #1: Review the source code to determine the account that the application uses to connect to its database at runtime. The test fails if the application uses a database super-user account.<\/strong><\/p>\n\t<\/li>\n\t<li dir=\"ltr\">\n\t<p dir=\"ltr\" role=\"presentation\"><strong>Test #2: Review the database permissions for the user. The test fails if the user has more permissions than it requires (such as ability to drop tables, alter the database schema, or execute unnecessary prepared statements).<\/strong><\/p>\n\t<\/li>\n<\/ul>\n\n<p>Once again, the language is relevant to the testing stakeholder. If the test cases pass, that rolls back into AC.2.007 as a successful completion. In this way, each clause in the CMMC standard has auditability and traceability while retaining the emphasis on speed of delivery. These test cases can be performed through automation or human-in-the-loop processes. By combining these results, teams can identify areas of weakness and provide evidence of additional training or guidance in order to build up the right capabilities to provide business assurance.<\/p>\n\n<p>At the end of a cycle, a CMMC report can be generated from the BDA tool that shows whether all relevant technical tasks have been completed to comply with CMMC Level 2. In doing so, multiple stakeholders can interact in a way that integrates their processes without requiring extensive process or architectural rework.<\/p>\n\n<p>The example above illustrates BDA tools in the context of compliance, development, operations, and testing. But it is not difficult to extend this to include architects (with prescriptive requirements on readable\/writeable classes, for example) or database authentication for operations teams. The intent is to demonstrate how CMMC operationalization can occur in a fast-moving delivery pipeline.<\/p>\n\n<h3>Focusing on integration and automation<\/h3>\n\n<p dir=\"ltr\">As stated at the beginning of this article, security and compliance activities often operate in their own silos. That makes integration with fast-moving continuous integration and delivery cycles difficult. Artifacts produced from one team are not easily ingested into downstream systems. That creates unnecessary noise and makes system integration and automation difficult to achieve.<\/p>\n\n<p>True integration and automation is achieved through harmonization of the underlying metadata across multiple stakeholder systems. This allows for the harmonization of processes and systems without having to force expensive configuration work into all the systems.&nbsp;<\/p>\n\n<p dir=\"ltr\">Integration in a BDA context does not preclude second and third level integration. For example, developers can still use code scanners as part of their testing and the results can feed into a BDA tool to prove completion of work.<\/p>\n\n<h3 dir=\"ltr\">Conclusion<\/h3>\n\n<p dir=\"ltr\">Achieving CMMC compliance should be considered in light of an ongoing, sustainable program. This requires the ability of multiple stakeholders to provide their requirements into a fabric that integrates into a DevSecOps workflow. The definition of &ldquo;complete&rdquo; is baked into BDA tools and provides auditability and traceability.<\/p>\n\n<p dir=\"ltr\">BDA tools are helpful to bring compliance monitoring to DevSecOps automation. Rather than trying to force development and operations into a security sandbox, they integrate security from the beginning. It shifts the conversation from a zero-sum decision around speed or security. Rather, it is the inclusion of both in a way that articulates the residual risk and trade-offs to stay within the guardrails of an organizational risk threshold.<\/p>","draft":null,"source_url":null},"author":{"id":3935858,"first_name":"Altaz","last_name":"Valani","full_name":"Altaz Valani","username":"avalani@securitycompass.com-del-3935858","email":"avalani@securitycompass.com-del-3935858","bio":"Altaz is the Director of Insights Research and is responsible for managing the overall research vision at Security Compass. Prior to joining SC, he had served as a Senior Research Director and Executive Advisor at Info-Tech Research Group, Senior Manager at KPMG, as well as held various positions working alongside senior stakeholders to drive business value through software development. Valani is on the SAFECode Technical Leadership Council, CIO Strategy Council, the Open Group, and also contributes to several IEEE working groups.","twitter_id":null,"avatar_url":"https:\/\/content.cdntwrk.com\/files\/YV91PTM5MzU4NTgmbW9kaWZpZWQ9MjAyMi0wNS0xMyAxMDo0ODoxNCZzaWc9NTgwNjc2MjYyZjRjZTY4NDYwNDRiZmFjYWEzYTJmMTI%253D"},"hide_publish_date":false,"external_created_at":"2021-01-04T13:29:12-0500","external_modified_at":"2021-01-04T13:29:12-0500","created_at":"2021-01-04T18:29:12-0500","modified_at":"2022-10-13T12:37:58-0400","published_at":"2021-01-05T16:08:19-0500"},{"id":647047405,"hub_id":94885,"type":"blogs","service":"blogpost","name":"The 2021 State of DevSecOps: Challenges and Drivers","title":"The 2021 State of DevSecOps: Challenges and Drivers","description":"In our survey, we found a rising trend toward the adoption of DevSecOps over the last year.","seo_title":"The State of DevSecOps 2021: Challenges and Drivers","seo_description":"In our survey, we found a rising trend toward the adoption of DevSecOps over the last year.","url":"https:\/\/resources.securitycompass.com\/blog\/devsecops-challenges-and-drivers","thumbnail_url":"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYwZTRiMGM3MzY5NWYuanBlZyZ2ZXJzaW9uPTAwMDAmc2lnPWZkMmVlNjI3ZmRmZDU3YTRkZDIyYmJiNTkxMzIxMGZk","canonical_url":null,"canonical_redirect":false,"mediaproxy_thumbnail_url":null,"avatar_url":null,"duration":null,"published":true,"featured":false,"hidden":false,"edited":true,"deleted":false,"content":{"embed_data":null,"published":"<p dir=\"ltr\"><img alt=\"\" src=\"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYwMjFjZjVmNzkwNDguanBnJnZlcnNpb249MDAwMCZzaWc9M2NkM2RmMmNhODBiNDZjNTQwNTA4ZjU0MzhhNzMxMzc%253D\" \/><\/p>\n\n<p dir=\"ltr\">Over the last decade, there have been many attempts to adopt DevSecOps across organizations. Unfortunately, because of the differences in priorities, DevOps and security teams have worked in silos. While one group is more focused on releasing applications to market faster, the latter is isolated in their pursuit to ensure security.<\/p>\n\n<p>There are definite benefits of collaboration between both these groups, but that&rsquo;s only possible when we understand the challenges they face in working with each other.<\/p>\n\n<p>So what is bothering DevOps and security teams? And how has the adoption of DevSecOps evolved in the last year considering the changes fuelled by remote work? Let&rsquo;s find out.<\/p>\n\n<h2 dir=\"ltr\">Rising adoption of DevSecOps<\/h2>\n\n<p dir=\"ltr\">In a survey commissioned by Security Compass with participants from the U.S. and U.K. across different roles in technology and risk, we found a rising trend toward the adoption of DevSecOps over the last year.<\/p>\n\n<p dir=\"ltr\">When asked about the biggest driver of DevSecOps adoption, we found a high degree of unanimity among respondents for <strong>improving security, quality, and resilience<\/strong> as their top priority. <strong>Bringing technology to market faster<\/strong> was the second most important driver, reducing organizational silos third, with cost reduction the least important.<\/p>\n\n<p dir=\"ltr\">The report also reveals how perceptions toward security and compliance evolve as organizations reach maturity in their DevSecOps programs.<\/p>\n\n<p>For companies still in the planning stages of DevSecOps, time to market and cost reduction are the top two drivers of adoption but as the approach takes hold across application builds, security, quality, and resilience becomes the stand-out reason why it flourishes.&nbsp;<\/p>\n\n<p>Though adoption has been rising recently, it does come with its fair share of challenges across organizations.<\/p>\n\n<h2 dir=\"ltr\">Challenges in DevSecOps adoption<\/h2>\n\n<p dir=\"ltr\">Implementing DevSecOps is challenging, with cost, internal resistance, and access to tools being commonly known difficulties organizations face. Large organizations, from financial institutions to federal government agencies, struggle with these challenges.&nbsp;<\/p>\n\n<p>Above all else, though, our research points to technical challenges as their biggest challenge.<\/p>\n\n<p dir=\"ltr\"><img src=\"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYxMjNlYWMxY2RlYTkucG5nJnZlcnNpb249MDAwMCZzaWc9N2FiYTIyMGQ2NzUxZDE3NjEwODY1ZmIzMWEyMTYxMzI%253D\" \/><\/p>\n\n<p>With the help of this study, we were able to establish the challenges that leading organizations encounter across varied industries including technology, banking, insurance, pharma, healthcare, manufacturing, and energy\/utility. Respondents across different roles, from executives to practitioners, participated in the study to talk about DevSecOps implementation in their organization.<\/p>\n\n<p><iframe allowtransparency=\"true\" data-name=\"pb-iframe-player\" height=\"150\" scrolling=\"no\" src=\"https:\/\/www.podbean.com\/player-v2\/?i=8twhq-f9cc94-pb&amp;from=embed&amp;share=1&amp;download=1&amp;skin=1&amp;btn-skin=7&amp;size=150\" style=\"border: none; min-width: min(100%, 430px);\" title=\"Spencer Koch - Cloud Security is not about Starting from Scratch\" width=\"100%\"><\/iframe><\/p>\n\n<h2><span style=\"color: rgb(0, 0, 0); font-size: 30px;\">Transition to the cloud<\/span><\/h2>\n\n<p dir=\"ltr\">Driven by the benefits offered by cloud services, organizations are also increasingly <a href=\"https:\/\/resources.securitycompass.com\/whitepapers\/how-you-can-ensure-secure-cloud-migration?utm_source=resources&amp;utm_medium=blog&amp;utm_campaign=FY21_Q1_contentlink=devsecopsblog\" target=\"_blank\">moving their applications to the cloud<\/a>. In our survey, almost 96 percent of respondents said that they plan to migrate their applications to an IaaS cloud service provider.<\/p>\n\n<p><img src=\"https:\/\/content.cdntwrk.com\/files\/aHViPTk0ODg1JmNtZD1pdGVtZWRpdG9yaW1hZ2UmZmlsZW5hbWU9aXRlbWVkaXRvcmltYWdlXzYxMjNlYWQwMDU2NjAucG5nJnZlcnNpb249MDAwMCZzaWc9MWUyMGFhNDMxNDQ5MWU4YjM5MzBiMWYwYmZiYmI0ZDE%253D\" \/><\/p>\n\n<p>Apart from these major trends, the survey also found that manual security and compliance processes slow down product launches. Insufficient automation, technical challenges, and organizational silos were the main reasons behind the slowdown. As a result, cybersecurity automation is top of mind for executives and practitioners alike.<\/p>\n\n<p><strong>If you would like to learn more about the findings of the State of DevSecOps 2021 study, please <a href=\"https:\/\/resources.securitycompass.com\/blog\/2021-state-of-devsecops?utm_source=resources&amp;utm_medium=blog&amp;utm_campaign=FY21_Q1_contentlink=devsecopsblog\" target=\"_blank\">view the full report<\/a>.<\/strong><\/p>\n\n<p><em>About the survey:<\/em> The purpose of the report is to provide an overview of the state of DevSecOps and highlight the challenges that enterprises are facing as they roll out these initiatives at their organizations. Security Compass commissioned Golfdale Consulting to conduct two independent online panel surveys in the Fall of 2020. The first survey focused on DevSecOps with 250 respondents from the U.S. and U.K., representing large enterprises (US$1B+ in annual revenue) that develop software in the technology, banking, insurance, pharma, healthcare, manufacturing and energy\/utilities sectors. The study surveyed executives and practitioners in risk\/compliance as well technology roles. The second survey exclusively interviewed professionals within the C-Suite on their views on time to market of their software products.<\/p>\n\n<div>&nbsp;<\/div>","draft":null,"source_url":null},"author":{"id":2367133,"first_name":"Security","last_name":"Compass","full_name":"Security Compass","username":"SecurityCompass","email":"uberflip@securitycompass.com","bio":null,"twitter_id":null,"avatar_url":null},"hide_publish_date":false,"external_created_at":"2021-02-08T18:46:49-0500","external_modified_at":"2021-02-08T18:46:49-0500","created_at":"2021-02-08T23:46:49-0500","modified_at":"2022-10-13T12:37:58-0400","published_at":"2021-02-09T00:02:15-0500"}]}