Security is the biggest challenge facing any IT professional. With so many types of attacks, DevOps security (also known as DevSecOps) is becoming increasingly important as hackers evolve their tactics to crack into companies, steal data, and cause disruption.
What is DevOps? And what is DevSecOps?
Every developer should be familiar with DevOps. Its sole purpose is to improve collaboration between development and operation teams by developing and automating a continuous delivery pipeline, and by doing so, this enables organizations to increase the delivery speed of new applications and services rapidly.
But what’s the difference between DevOps and DevSecOps? According to ZDNet, they both attempt to achieve better results through greater operational focus and communication, but the only difference is that the DevSecOps framework emphasizes security.
Why DevOps security is important
Developers are always under pressure to shorten the development life cycle and release updates and improvements frequently, which opens the possibility for more security vulnerabilities to creep into the code. DevSecOps addresses this by integrating security practices into each phase of the DevOps lifecycle.
With speed seen as the driving force of DevOps and security often forgotten or ignored, it’s no surprise that there’s been a rise in security breaches. According to a Threat Stack report, 52% of businesses sacrifice security for speed. The research also further highlights:
- 68% of cybersecurity professionals are told by their CEOs not to slow the company down
- 52% cut back on security measures to meet a deadline or objective
- 57% of operation teams don’t follow security best practices
As more businesses look to incorporate security throughout the entire DevOps lifecycle, following best practices is critical so that DevSecOps becomes a benefit rather than a barrier to your developers' productivity. But how do you achieve this without hindering speed and agility?
We asked IT experts for their views on improving the DevSecOps pipeline. Here’s what they said:
1. Identify tools to optimize your DevOps performance
Building a solid pipeline that contributes to the culture of security with buy-in from stakeholders is the key to a good DevOps strategy. Automation tools today make this easier as they require little-to-no human intervention as they help you meet DevOps requirements. These systems also help to minimize error and time required to ensure compliance. Some examples? We use Teamcity for continuous delivery, we use Sonarqube for static analysis, Burp for vulnerability testing, Selenium Grid for dynamic analysis and many others. Identifying a good suite of tools to optimize your overall DevOps performance and connecting all of those tools together all in a secure system is absolutely paramount.
Andre Borrelly – VP DevOps at IdeaScale
2. Review your manual security and testing processes
DevOps has been a huge improvement over traditional development and deployment pipelines - allowing faster iteration times and more frequent feature releases. And while you want to deliver new features to your users at unprecedented speed, you need to make sure you aren’t creating new security vulnerabilities at the same pace. Automate the proper checks - code analysis for your own code and third-party packages and active scans of your systems. You must also ensure significant new architectural changes are reviewed and approved with appropriate rigor, which possibly can’t be automated. In other words, know when to insert some manual security review and testing into your process - and make sure the whole team knows when to do so as well.
Tim Platt, Executive VP of Technology at Lunar
3. Shift security practices 'to the left' of the development lifecycle
Effective DevSecOps demands that security practices be “shifted to the left” of the product development lifecycle and integrated into each stage of development to identify and address security issues earlier and more cost effectively than is possible with a traditional, more reactive security approach. This new proactive testing paradigm engages security at the outset of the development process, empowers developers with effective tools to identify and remediate security findings and ensures that only secure commits are ultimately pushed to the code repository.
Swapnil Deshmukh – CTO at Certus Cybersecurity Solutions LLC
4. Monitor compliance, security processes and policies with automated mechanisms
When implementing security into the DevOps lifecycle it’s important to have automated mechanisms that will monitor that the compliance and security processes and policies are being kept. DevOps teams are a valuable resource, but studies show Basis teams spend more than 50% of their time on repetitive tasks that can be automated like system installation, best practice configuration, and monitoring. DevOps automation allows the team to focus on root cause analysis, improving systems and processes and storing institutional knowledge.
We've seen cases where, for example after an SAP upgrade, people left the default password, practically leaving the system exposed. Having a solution that will notify the DevOps team in real-time on such an issue will minimize the risk.
Irit Gillath – VP Marketing at Syslinks Xandria
5. Close the gap between DevOps and security
Many security teams don’t understand how automated modern pipelines can be, and why it’s so critical to their success. Traditionally, security can be a roadblock slowing the pace of development, but in the new DevSecOps culture the entire team can be part of the automated process. Dev and DevOps want to move quickly, but know little about application and network security. As security “shifts left” to them, it can initially be frightening to hold responsibility for helping to prevent major data breaches and exploits of their applications.
To close the gap between DevOps and Security, security teams should learn more about new methods for deploying applications (including security products) using Docker and Kubernetes, in order to better understand how powerful they are. Similarly, teams should learn the basic reasons why security teams need network and application visibility, and brainstorm how to provide these most efficiently within a container pipeline process.
Glen Kosaka – VP of Product Management at NeuVector
6. Automate right from the start!
To integrate security into DevOps projects correctly, an IT Department Lead should ensure the security practices in place - starting from the planning stage of the project - automate dynamic application security testing as well as static application security testing, and any other security tests that can be automated.
There’s no need to hire additional security specialists for the task. Instead, appropriate security training for the existing development and operations team members should be provided and security-related responsibilities split between them, e.g. the Ops team members focus on the infrastructure-as-code and endpoint protection, while the developers ensure the code security.
Andrei Lipnitski – ICT Department Manager at ScienceSoft
7. Combine automation and security to achieve cyber resilience
Software has to be developed and commercialized at an ever-increasing pace – but with fewer vulnerabilities that can cause problems in production. The requirement is for automated binary security that can be easily applied to the cloud as well as to container orchestration tools. In today’s connected, distributed, virtualized computing environments, it’s rational to assume that networks will be breached. Incorporating tools that scramble binaries, vary the attack surface/code layout, and randomize each function in the build tool chain can protect both hardware and software. Specifically, combining automation with security is the best way to achieve cyber resilience because it:
- Addresses the need for proactive security rather than reactive remediation following a data breach or malware attack
- Provides the ability to detect and fix security issues earlier in the development process, which reduces the cost of identifying and correcting them
- Enables the implementation of security through the entire continuous integration continuous delivery (CI/CD) pipeline
- Allows for speed of delivery and compliance at scale
Runtime Application Self Protection (RASP) is a security technology that uses runtime instrumentation to detect and block cyberattacks by employing information from inside the running software. RASP techniques close the gap left by application security testing and network perimeter controls, neither of which have enough insight to prevent vulnerabilities from slipping through the review process or block new threats.
Joe Saunders – Founder & CEO of RunSafe Security
8. Get the right balance between security and coding
Cloud and serverless environments have made application development and management easier, more efficient. Consequently, this has also created new security threats and attack methods. Previously, developers would build their applications and pass them along to AppSec teams for testing and clearance, slowing deployment. Because the speed of business has drastically increased, organizations can no longer afford to wait on AppSec to come up to speed on new coding practices while also staying on top of security threats. Serverless technologies have changed AppDev practices and - in order to stay ahead - why security teams need to know code.
As security people, we need to engage with the application, not avoid it. We need to understand what happens inside the application, so we can protect ourselves from risk. Security teams need to understand the ramifications of design and programming language choice. They need to be able to do security code reviews with developers. They need to be able to properly configure security tools based on this information, and prioritize risks based on where they are in the code and how likely they are to be exploited.
In short, security can no longer avoid code. Honestly, this is a good thing. Security will become much more effective when it becomes code centric. At the same time, if you hire a bunch of developers to handle your security, you’re going to be in for a rude awakening. Just because doing security well requires understanding the mindset and world of a developer, does not mean that all the collective wisdom we’ve amassed on how to do security goes out the window. You need both in order to have balance.
Hillel Solow – CTO and cofounder at Protego Labs
9. Entrust your developers
In today’s marketplace, agility of software development and delivery has become hugely important, and DevOps culture is the heart of this, emphasizing frequent releases, highly automated (and often remote) build processes, constant configuration, and distributed teams. This cross-environment work requires the development teams to have abundant and frequent system-level trusted access to the corporate core platforms.
Providing this requires the ability to secure, monitor, control, and audit the connectivity into sensitive data and systems; something that has been in place and optimized in a traditional software environment for years. But, herein lies a major pitfall: traditional security systems are often ill-suited for the modern DevOps world’s daily, even hourly, software redeploys via automated CI/CD pipelines into highly elastic cloud environments.
Managing the lifecycle of hundreds or thousands of access identities over time creates unmanageable complexity, which increases the risk of misconfigured and unmanaged, untracked access. It also means admins, developers, and expensive consultants are either constantly managing or waiting for access instead of doing productive work.
To overcome these challenges, managing privileged access must be scalable, lean, and rapid to deploy. It must simplify life for administrators by automating manual routines and eliminating tasks like the frequent updating, installing, or configuration of software on clients and hosts. Most importantly, it must empower developers and 3rd parties to gain access to critical resources without having to slow down. Privileged business users already get to enjoy the convenience of single-sign-on access so it is time to offer the same user experience for privileged IT users as well. A lean, zero-trust access management solution that offers automated role-based access control to manage access for privileged users to hybrid and multi-cloud resources in development, as well as production environments that demand speed and elasticity is the solution.
Markku Rossi – CTO at SSH.com
10. Enforce security throughout the CI/CD pipeline
DevOps is often viewed as the ultimate way to be agile. Release quickly, get feedback, fail fast, iterate continuously - and you will get ahead of your competition and have the best product in the market.
In reality, this leads to disastrous results when it comes to security. Engineers go all-in into microservices architectures; the APIs of these services are viewed as an implementation detail, the overall product becomes popular and gets traction, and then attackers find flaws in API design and implementation and take advantage of the application and customer data.
The solution is to stop treating DevOps as the opposite of careful security design. While fast iteration of features in DevOps is indeed helping products evolve faster, it is imperative that security gets enforced on each and every iteration. Iterate on scope but not on security.
It’s totally fine to start with just one microservice with a simple method or two - but make sure that this simple API is bulletproof: carefully designed to do only what it is supposed to do, accept only the payloads it is supposed to accept, respond only with the data your users need, with proper authentication and authorization.
Get that security enforced all along the CI/CD pipeline: from static analysis of the API contract, to API implementation, to runtime protection with a gateway or API firewall. Then iterate on the next methods for that microservice or other microservices.
Thus, DevOps becomes DevSecOps and security is not compromised while the company successfully.
Dmitry Sotnikov – Vice President of Cloud Platform at 42Crunch