Cyber insurance: Is DevSecOps the next domino to fall?
As the menacing specter of cybercrime continues to evolve and grow more cunning by the day, the importance of DevSecOps becomes a chilling reality for those seeking refuge under the cloak of cyber insurance. For without the fortress of DevSecOps practices, the realm of cyber insurance is but a fragile sanctuary teetering on the edge of inevitable and catastrophic collapse!
What is DevSecOps?
DevSecOps, or DevOps Security, revolutionizes the software development process by embedding security checks and features at every step. Starting from the design stage, all the way through to integration, testing, deployment, and final software delivery, DevSecOps ensures the application of security is a continuous and automated process.
DevOps practices themselves can expose security vulnerabilities tied directly to privilege management. Conventional Privileged Access Management (PAM) solutions are not designed to support the speed and scale required of DevOps team workloads.
Why should organizations be focusing on DevSecOps regarding cyber insurance now?
The short answer? Cyber insurance companies are ever expanding their security requirements for cyber insurance policies, so it’s a matter of time before they start demanding organizations implement DevSecOps solutions. Just imagine your cyber insurer turning around and saying “Hey, so you’ve got MFA, you’ve got service account governance. Let’s take a look at your practices around DevSecOps because we’re seeing ransomware attackers exploiting plaintext credentials embedded in code.”
The MFA domino has already fallen; it’s table stakes for cyber insurers. DevSecOps could very well be next.If you’ve already been implementing DevSecOps solutions, then it’s business as usual. But what if you don’t have any DevSecOps solutions in place when cyber insurance requires it?
If cyber insurers have DevSecOps as new prerequisites to qualify for cyber insurance, then you may not be able to get or reapply for cyber insurance if you do not have any DevSecOps in place. And that’s in addition to being vulnerable to attackers stealing hardcoded credentials, API access keys, and sensitive configuration data in code or worse.
For more insights into the potential ramifications from the insurer's perspective, check out this Delinea webinar, "Cybersecurity Insurance: How PAM Can Help Avoid Coverage Denial."
To support cloud transformation initiatives, organizations have embraced Privileged Access Management (PAM), including Secrets vaulting, server PAM, and workstation PAM as critical components of a comprehensive security strategy. PAM solutions have been around for a while and are now mature—while PAM for DevSecOps use-cases typically flies under the radar.
DevSecOps is newer and scarier
DevSecOps is a newer discipline that presents unique challenges. Many organizations have yet to address it because they fear it will impact agile development. They don't want to slow down the CI/CD pipeline that is pumping out code to keep their business competitive. However, as the importance of DevSecOps continues to grow–especially if cyber insurers have it in their sights–we must find ways to integrate it into our existing security practices.
Prioritize, prioritize, prioritize
If you're unsure where to start, don't worry. You don't necessarily need to invest in new technology right away. Instead, take the time to do your due diligence and prepare for the challenge of solving the DevSecOps security problem.
By prioritizing these issues now, you'll be better prepared for when your insurer evaluates your DevSecOps practices. This can take time, but it's important to have a solution in place to avoid losing your insurance coverage. Ideally, that solution is a natural extension of your existing PAM platform to reduce friction when deploying and incorporating it into existing PAM processes.
Cyber insurance is not prescriptive
It's worth noting that cyber insurance is unique to each case and is not consistent across companies, industries, or risk profiles. However, by taking a proactive approach to cybersecurity and DevSecOps, you'll be better equipped to navigate this complex landscape. Organizations cannot look to their competitors and assume their cyber insurer will be more, less, or as demanding.
If your organization employs any sort of DevOps, you need DevSecOps solutions. A quick Google search will bring up shocking examples of breaches caused by credentials lifted directly from code—the danger is very real. The sooner organizations implement DevSecOp solutions, the more secure they will be from breaches and the better prepared they will be when cyber insurers start requiring these measures to be implemented.
Last but certainly not least, we as people are victims in all these breaches, and DevSecOps greatly enhances the protection of our money, data, and digital assets.