DevSecOps – How to Be Swift and Secure
November 16, 2018 | by Krittika Banerjee | Posted In DevOps
While a growing number of organizations continue to implement, expand, and perfect their DevOps game, the focus on speed to market at the expense of security is making them increasingly vulnerable to the risk of cyberthreats and data breaches. The risks of security missteps remain real, immediate, and extremely costly, as demonstrated by the recent HBO hack that led to the leak of two episodes of its widely popular show ‘Game of Thrones’, or the massive security breach at Equifax exposing the sensitive personal information of 143 million Americans. It is becoming clear that a secure DevOps process is critical to the business of software creation and launching.
Now there’s a movement to put security on an equal footing in a triad with the development and operations pieces, enabling teams to not only deliver high-quality products but to deliver more secure products at the velocity that customers demand — what is being referred to as DevSecOps. Gartner has named DevSecOps one of their fastest-growing areas of interest in IT, and predicts that DevSecOps will be embedded into 80 percent of rapid development teams by 2021, up from 15% in 2017.
Why is DevSecOps important?
Let’s delve into some of the reasons why your business should be exploring DevSecOps, the nature of security risks inherent in DevOps processes and best practices for making a shift to a DevSecOps approach.
IT infrastructure and culture have undergone huge changes in recent years. Traditional security methods, which tend to be more bureaucratic, monolithic and ‘one size fits all’, are no longer adequate to address the security challenges compounded by many aspects of DevOps:
- High-velocity IT leaves security teams flat-footed: DevOps outfits push and modify batches of code over extremely short time frames (hours or even days), which may far outpace the speed at which security teams can keep up with code review, vulnerability scanning etc. This can be a major challenge for security and compliance.
- DevOps and cloud environments: The cloud plays a big role in many organizations’ DevOps stories and vice versa. In such dynamic environments that operate at huge scale, even a simple misconfiguration error or security malpractice, such as sharing of secrets (APIs, privileged credentials, SSH keys, etc.) can be amplified, leading to widespread operational dysfunction and countless exploitable security vulnerabilities.
- The use of containers: Vulnerabilities, misconfigurations and other weaknesses in containers can spawn new security headaches. A study by ThreatStack reveals that a whopping 94% of respondents indicate that containers pose negative security risks for their organizations.
- Privilege exposures: A typical DevOps environment consists of myriad tools, is highly interconnected and rapidly evolving. Privileged account credentials, SSH Keys, APIs tokens, etc., may be tampered with in the absence of adequate security controls. Various orchestration, configuration management, and other DevOps tools may also be granted vast privileges, and result in a hacker or piece of malware gaining full control of the organization’s infrastructure and data.
Past attitudes of delegating security to specialized teams placed at the end of the development cycle can be an obstacle in dealing with modern security challenges. Security needs to be built into the foundations of DevOps, fully integrated into your software development pipeline from the very beginning, so your teams can share feedback continuously and address security issues as they arise, rather than at the end of the lifecycle. The practice of DevSecOps views “security as code,” and is a process by which security is integrated into every aspect of the DevOps lifecycle, starting from inception, design, build and test to release, maintenance, support and beyond. It pulls in the information security team to collaborate along with the application development and IT operations team. With all three teams working together, it’s easier to build security controls into the deployment pipeline, reduce delays and flaws that result when an enterprise treats security as an outside entity, siloed from the development process.
How to go from DevOps to DevSecOps?
Turning DevOps into DevSecOps isn’t as simple as merely adding a security team. It involves incorporating security as part of every team and process. Here are some tips on the key areas to focus on keeping in mind the challenges that come with such a transition:
- Get everyone on the same page: DevSecOps is about enabling everyone on the DevOps team — whether on the dev or ops end — to be the best security practitioners they can be. The goal is to make security an essential part of the DevOps culture and enable joint ownership of issues as they arise. Dev and security teams can’t pass the buck when it comes to securing modern infrastructure.
- Every developer and operations hire should be trained on the basics of secure coding practices and the most common security mistakes at the beginning of their tenure. Similarly, security engineers should have a table with cross-functional DevOps teams from the beginning, even in the planning stages. For instance, if your security engineers can participate when DevOps teams are planning their minimum marketable features (MMFs), they can contribute by building threat models at the feature or service level. The pressure to get projects out on time can lead to risky shortcuts even for organizations that normally take security seriously—and this is when security awareness at this level will yield returns, forcing your team to think through security implications in the midst of rapid commits and releases, or nudging them to halt deployments for penetration testing.
- Shift security left: As mentioned earlier, security needs to shift left or start from the early stages of your DevOps processes. Injecting code analysis tools and automated penetrating tests earlier in the development process makes it possible for organizations to capture and eliminate security flaws at every step of the development process and also provides feedback about vulnerabilities as soon as they appear. This up-front security work cuts down the risk of costly and time-consuming mistakes later in the cycle.
- Create transparent policies: Enforcing effective policy and governance is critical in creating an alignment between different teams. The collaboration between teams needs to be properly considered when policy is laid out. For instance, is the security element thoroughly discussed when you are treating your infrastructure as code? Organizational policy should also cover various other aspects such as, the acceptable cloud deployment practice/model, the data types that can/cannot migrate to the cloud, compliance requirements etc.
- Automate security: You cannot match the speed of security to your DevOps processes without automation. With the use of automated security tools for code analysis, configuration management, patching and vulnerability management, and privileged credential / secrets management, you can mitigate the risk arising from manual errors, and also reduce the associated vulnerabilities.
- Bear in mind that zero risk is impossible: It is important to bear in mind that the pursuit of perfection can be detrimental to the speed of DevOps and digital business. There is no such thing as perfect security. Organizations must therefore focus on adopting a risk-adaptive approach that ensures continuous visibility and assessment of vulnerabilities, so that their security and compliance posture can be continually adapted as required, and the right actions taken at any given point. This is what Gartner refers to as “continuous adaptive risk and trust assessment” or CARTA.
A shift to DevSecOps won’t be quick, easy and organic. It requires a mindset shift to stop looking at security as one-time gating and reimagine it as a continuous security assurance process, which is integrated from the beginning of the development timeline and assessed with each new iteration. There must be organizational commitment all the way to the top to dedicate time and money to develop security awareness at every level, invest in the right security tools, arrange for the appropriate level of staff training and implement as much automation as possible. You can start by fully understanding your current processes and lifecycle. Where are the gaps and shortcomings in relation to integrating security? Is there a champion in the organization who can understand this? And more importantly, are they empowered to act and help enable change? Once these basics have been addressed, it’s about acting on them. As with anything, the actual implementation will determine how effective the transition is.
If you haven’t already begun the process, the time is now to merge your security goals with DevOps. Contact us and let us help you understand its benefits, challenges, and best practices, and choose the right approach to making security a bigger focus in your organization.