Have You Tackled the Tricky Problem of DevOps and Security Yet?
February 12, 2019 | by Krittika Banerjee | Posted In DevOps
The speed vs security conflict between DevOps and IT security teams is well known. Security has long been thought of as the group that too often puts up roadblocks that prevent developers from getting more done in less time. At the same time, the perception that DevOps teams and their continuous deployments are a threat to security and compliance may still linger with traditional IT security. Can the integration of DevOps and security be done in a way that limits struggles and promotes true collaboration, while actually enhancing both security and agility in the process? The answer is yes — and the key is DevSecOps. The DevSecOps approach allows for security to be fully integrated into your software development pipeline from the very beginning, so your teams can share feedback continuously and provide resolution for software flaws along the way.
Fast-tracking DevOps security — THREE Key Components
While there is no single recipe for integrating security into DevOps processes, a few critical components are necessary for DevSecOps to take hold:
1. Automate and continuously assess your security vulnerabilities
One of the key tenets of the DevSecOps approach is automation. Security controls and tests need to be embedded as early and often as possible, and throughout the development lifecycle, and they need to happen in an automated fashion before anything goes to production. The ability to incorporate automated testing as part of the SDLC — using methods such as static and dynamic code analysis, software composition analysis, and vulnerability and penetration testing — can go a long way toward improving the overall security of applications and cutting costs spent on dealing with flaws later on. It is also important to extend security controls to the handoff of code to the operations teams. Because this is often carried out in part by creating explicit rules of deployment — a concept known as configuration of code — security teams may find new checkpoints where important security needs can be verified and previously undetected errors or risks can be addressed.
Automated security is rapidly becoming a key practice in highly mature DevOps organizations. As a matter of fact, the fusion of DevOps and security goes in hand in hand. Many of the practices that are integral to DevOps — such as automated end-to-end workflows, emphasis on fast feedback loops, enhanced visibility, collaboration, and more — are conducive for integrating continuous security as a built-in component of your DevOps processes. By using an end-to-end automation and orchestration platform that can integrate with a wide range of security tools, DevOps organizations can ensure greater visibility and control over the entire SDLC, making the automated pipeline a “closed loop” process for testing, sharing feedback and addressing security concerns. The use of CI/CD tools like CloudBees Core™ is critical for enforcing secure best practices and governance at scale. It helps you set up a robust and secure CI/CD environment through complete automation of the development life cycle coupled with powerful pipeline integrations into various security scanning and testing solutions. The result: enhanced security, greater agility and faster releases.
2. Streamline your processes
While automation is certainly important, it is just as important to build well-defined processes and security requirements at the beginning. In a DevSecOps environment, there are too many interactions taking place to decipher without a unified approach for developing good security practices. For instance, if the minimum security requirements for a project are not defined during the design and architecture stages, it will impact the effective planning and integration of security controls and result in security controls being bolted on as an afterthought. Detailed security requirements must also focus on operations-specific issues at layers below the application, such as database setups, cloud versus on-premises configurations and integration with existing network security controls, to ensure proper oversight.
It is important to establish the desired baseline for security and create agreed and repeatable ways of working which are clearly documented to ensure transparency of security towards the rest of the business. One way to approach this is by creating KPIs based on standards for measuring reliability, security, performance efficiency and maintainability of software. This allows developers to see security as a feature that will be tested just like any other feature or requirement.
3. Instill a new culture of ownership
To enable effective DevSecOps practices, organizations need to transition from a culture where developers, QA and IT Ops are responsible for merely their corner in the pipeline to one in which teams across the development pipeline feel accountable for the code they produce. In other words, ownership of security must shift left. Since teams operate in their own silos, and have their own agendas and tasks, facilitating this culture change can be one of the biggest challenges.
Savvy organizations identify and appoint a “security champion” to serve as a role model and vulnerability watchdog during the period of transition. It makes sense to incorporate mentoring and coaching opportunities, wherever possible, so that vital security know-how can be disseminated across the team. Development and operations teams must be trained on the concepts of secure design and topics such as threat modeling, secure coding and security testing. Similarly, security engineers should have a seat with cross-functional DevOps teams, even in the initial stages when minimum marketable features (MMFs) are being planned, so that security can contribute by building threat models at the feature or service level. The goal is to make “security” less the function of an exclusive department and more a frame of mind across the organization to enable joint ownership of issues as they arise.
How do you get started?
As DevOps goes mainstream, the separation of development and security is no longer a viable approach. You can start with a targeted rollout, where you carry out an overall assessment of the risks in your organization and address the most important risk first by inserting automated security tools into the development pipeline. Keep working through all your security risks this way to make incremental improvements over time. Incremental improvements are a known benefit of any agile and DevOps organization, and DevSecOps is no different.
If you’re on the cusp of a DevSecOps initiative and you’d like more detailed information about incorporating security into your DevOps processes from the get-go, you can contact us.