Want to dodge a data breach?  Do DevOps and let developers work from home, says Google

Want to dodge a data breach? Do DevOps and let developers work from home, says Google

zd-g-devops.jpg

DevOps, which brings faster software updates, could help prevent the avalanche of records exposed in data breaches, but Google research reveals that existing practices fall short of the task at hand.

As part of its annual Accelerate State of DevOps report, Google surveyed 33,000 technology professionals to explore the impact of DevOps, which broadly means aligning software development with IT operations, on cybersecurity. As he notes, more than 22 billion records were exposed in 2021 across 4,145 publicly known breaches.

The report comes as Australian telecommunications company Optus handles the fallout from a massive breach that exposed the personally identifiable information (PII) of nearly 10 million residents after an internet hacker waltzed through a application programming interface (API) on a cloud-hosted endpoint that did not require a password to access.

Google’s investigation focused on software supply chain security – a security area that received a lot of attention after the SolarWinds attack in 2020 and the Log4Shell open source flaw this year. These two cases have changed the way the technology industry manages software development processes and uses components, such as libraries and language packages in other products and services.

DevOps aims to accelerate software releases while maintaining quality and is increasingly focused on security updates. But what has changed since the SolarWinds and Log4Shell flaw?

To estimate this, Google used its view of the Software Bill of Materials Concept (SBOM), which the White House has asked US federal agencies to implement in 2021, called Supply Chain Tiers for Secure Artifacts. (SLSA).

One of Google’s key ideas is that for large open source projects, two developers should cryptographically sign changes to the source code. This practice would have prevented state-sponsored attackers from compromising SolarWinds’ software build system by installing an implant that injected a backdoor with each new build. Google also used NIST’s Secure Software Development Framework (SSDF) as a benchmark in the survey.

Google found that 63% of respondents used application-level security scanning as part of continuous integration/continuous delivery (CI/CD) systems for production releases. He also found that most developers preserved code history and used build scripts.

This is a reassuring trend, even though less than 50% practiced two-person reviews of code changes and only 43% signed metadata.

“The software supply chain security practices embodied in SLSA and SSDF are already seeing modest adoption, but there is ample room for more,” the report concludes.

Staff satisfaction can also affect safety outcomes. Google found that employers who gave their staff the option of hybrid working performed better and suffered less from burnout.

“Results showed that organizations with higher levels of employee flexibility have superior organizational performance compared to organizations with more rigid working conditions. These results prove that giving employees the freedom to change their working conditions working as needed has tangible and direct benefits to an organization,” Google Notes.

Google waded into murky territory by asking respondents to predict how working styles affect future bugs by asking them to predict the likelihood of a security breach or complete outage occurring in the next 12 months.

People working in “high performing organizations were less likely to expect a major error to occur,” Google said.


#dodge #data #breach #DevOps #developers #work #home #Google

Leave a Comment

Your email address will not be published. Required fields are marked *