SolarWinds: Should Security Live in InfoSec or DevOps

Reading Time : 3 minutes

The SolarWinds cyberattack, discovered in December 2020, affected numerous government agencies and private companies worldwide. The incident raised concerns about the security of software supply chains. To determine where security should reside, it’s important to understand InfoSec (information security) and DevOps (development operations).

The SolarWinds attack involved compromising SolarWinds’ network management software, impacting an estimated 18,000 customers, including major government agencies. It was a supply chain attack, highlighting the need to secure software supply chains.

InfoSec and DevOps: What are they?

Before diving into the SolarWinds attack and the role of security, it’s important to understand what InfoSec and DevOps are.

InfoSec involves protecting information systems, networks, and data from unauthorized access, use, disclosure, disruption, modification, or destruction. InfoSec teams identify vulnerabilities, develop security policies, and educate users on best practices.

DevOps is an approach to software development that emphasizes collaboration and communication between development and operations teams. It aims to streamline the development process by automating tasks, continuously testing code, and integrating workflows for faster, reliable software releases.

The SolarWinds Attack

In December 2020, cybersecurity experts discovered that attackers had compromised SolarWinds, which provides network management software to numerous government agencies and private companies worldwide. The attackers had inserted a backdoor into the SolarWinds Orion software, allowing them to access sensitive data and systems. The attack affected an estimated 18,000 SolarWinds customers, including major government agencies such as the US Department of Homeland Security and the Treasury Department.

The SolarWinds attack was a supply chain attack, meaning that the attackers targeted a third-party software vendor rather than the organizations themselves. This attack is becoming increasingly common and highlights the importance of securing software supply chains.

Where should security live: InfoSec or DevOps?

The SolarWinds attack raises the question of whether security should live in InfoSec or DevOps. Some argue that security should be the responsibility of InfoSec teams, while others argue that security should be integrated into the DevOps process.

Arguments for InfoSec

• Focus on risk management

  InfoSec teams are trained to focus on risk management and threat mitigation. They have a deep understanding of the potential vulnerabilities and threats that an organization may face, and they are equipped to develop and implement policies and procedures to protect against those threats.

• Independence

  InfoSec teams are independent of the development process, which allows them to provide an unbiased perspective on security issues. They are not subject to the pressures of meeting development deadlines and can prioritize security concerns without compromising the development process.

Arguments for DevOps

• Security as code

  DevOps teams are responsible for creating and deploying code, so they are best positioned to integrate security into the development process. By incorporating security into the code, DevOps teams can ensure that security is built into the software from the beginning rather than being bolted on as an afterthought.

• Faster response times

  DevOps teams are responsible for deploying code quickly and efficiently. By integrating security into the development process, DevOps teams can respond more quickly to security issues and vulnerabilities, minimizing the risk of a successful attack.

Here are some factors to consider when deciding where security should reside

• Organizational culture

  Depending on whether the organization prioritizes security and compliance or innovation and agility, either InfoSec or DevOps may be better suited.

• Development methodology

  In the case of a waterfall development methodology, a separate InfoSec team may be more appropriate. However, with Agile or DevOps methodologies, integrating security measures into the development process may be more feasible

• Regulatory compliance

  If the organization must adhere to stringent regulatory requirements, a separate InfoSec team may be necessary to ensure compliance. However, if the organization is not required to meet such regulations, a DevOps approach could be a viable option.

• Skillset and resources

  Leveraging the knowledge of a large, experienced InfoSec team may be the best course of action. Conversely, if the InfoSec team is small or if security needs are constantly changing, a DevOps approach may be more practical.

Conclusion

The question of where security should live – in InfoSec or DevOps – is not straightforward. Both approaches have their merits, and the best approach will depend on the organization and its specific needs. Ultimately, the most effective approach will likely involve a combination of InfoSec and DevOps. InfoSec teams should be responsible for setting security policies.