DevOps is an increasingly popular approach tosoftware development that, as the name suggests, melds together the previouslyseparate roles of software development and IT operations. DevOps teamscollaborate to continuously build, release, and manage software in faster andmore frequent cycles. While many organizations have embraced this integratedapproach for development and operations, they are often slow to includesecurity within this framework.
Security should be baked into every stage ofthe software development lifecycle (SDLC), in anagile approach sometimes known as DevSecOps. Organizations can use acombination of technology, policies, and procedures to secure the DevOpsenvironment from the design stages, through building and testing, to releaseand maintenance.
DevOps security relies on collaborationbetween departments, who share responsibility for implementing securitypractices at every step. Teams should ensure that their software is reliableand that data is protected, and they must comply with governance and incidentmanagement protocols. Continuous monitoring, testing, and automation help speedthe process, but the real secret to improved security for DevOps iscommunication.
DevOps Security Challenges
A variety of technical and cultural factorsimpact application security. However, challenges for security in DevOps oftenstem from the conflict between the differing goals of developers and securityteams. Developers aim to push their software through the pipeline as quickly aspossible, while security teams emphasize the elimination of flaws, which canpush back development.
SecurityTeams Struggle to Keep Up With the Pace of DevOps:
DevOps focuses on speed, with very shortdevelopment cycles. It can take much longer to review code than it did toproduce or update it. Security is often sacrificed for the sake of speed,allowing misconfigurations, unresolved vulnerabilities, and other flaws to remainand exposing the software to breaches or malfunctions.
DevOpsTeams Neglect Security:
A particularly challenging obstacle to combatis the widespread cultural resistance to security and testing. This is becausedevelopers and operating teams view security as a nuisance that gets in theirway and slows down the development process. However, retroactive fixesultimately take more time and effort. Addressing security issues earlier in thepipeline reduces technical debt and is well worth the initial delay in theSDLC.
ToolsCome With Their Own Risks:
DevOps typically relies on cloudinfrastructure, as well as open-source or immature tools. Some tools candramatically increase productivity, but they can also carry potential risks forDevOps environments. For example, containers are a portable packaging platformfor applications that can run on virtually any computer or cloud, but the lackof visibility into containers makes it difficult to scan them forvulnerabilities.
InadequateControls Provide an Opening for Attack:
DevOps environments often require controls forprivileged access and secrets management. Both individuals and computing toolscan use privileged inputs like API access tokens and account credentials tomaintain confidentiality while working. If you don’t adequately manage yoursecrets, or if your access controls are loose, they can provide an opening thatattackers can exploit to steal data, disrupt operations, and gain control ofyour IT infrastructure.
Security Practices for DevOps
You can incorporate tools and practices intoyour DevOps process to ensure that your application is secure.
Adoptinga DevSecOps Model:
Cross-functional collaboration is the key toeffectively integrating security into the entire DevOps lifecycle. Thisrequires a culture in which everyone takes responsibility for adhering tosecurity practices. You can train security and other professionals so theyacquire new skills and to imbue them with the DevSecOps ethos. Security teamsshould be able to write code and work with APIs, while developers should beable to automate security tasks.
Security policies and governance are essentialfor ensuring the consistent management of security risks. You should establisha clear, easy-to-understand set of policies and procedures for cybersecurityfunctions like access controls, configuration management, code review,vulnerability testing, and firewalling. All personnel should be familiar withthese security protocols, and you should maintain operational visibility so youcan keep track of compliance.
You can automate many of your tools andsecurity processes. This will help scale and speed up your security operationsto keep up with the pace of the DevOps process. Configuration management, codeanalysis, vulnerability discovery and fixes, and privileged access should allbe automated. Without automation, it is difficult to perform comprehensivediscovery to identify vulnerabilities and other potential threats. Automationmitigates human error and saves time, allowing developers and security teams tofocus their energies on other efforts.
You should have a system in place to scan,assess, and remediate vulnerabilities throughout the SDLC, and to ensure thatall code is secure before deployment. Attack mechanisms like penetration testingidentify weaknesses so you can fix them. After deployment, security teamsshould continue to run tests to identify vulnerabilities and other issues sothey can apply the necessary patches.
It is important to monitor and control access.You should limit privilege access rights to reduce the avenues for attack. Forexample, you can remove administrator privileges on end-user devices and set upa workflow check-out process. You can also restrict access for developers and testersto specific areas. You should also make sure that privileged credentials arestored safely, and you should monitor privileged sessions to verify that allactivity is legitimate.
All too often, security is an afterthought for DevOps teams. This due to a lack of appropriate skills and tools, combined with impatience and reluctance to take responsibility for security. However, embracing security as an integral part of the DevOps process helps ensure the consistent quality of your software with each release, and saves you the headache of technical debt.
This post on DevOps Security is from guest author Limor Wainstein.