DevOps Security at Scale
The goal of DevOps is to make IT agile and responsive in order to deliver continuous development and integration of software at scale and speed. DevOps unites two traditionally separate domains – IT development and IT operations, and effectively aligns their corresponding processes to achieve continuous integration and delivery of software.
In order to achieve speed and scale, DevOps relies on automating as many parts of the app development lifecycle as possible. Plus, its technical architecture is comprised of cloud and container technologies that enable agile application development. These practices and tools are also what information security (InfoSec) leaders push back on. They are concerned about the security vulnerabilities DevOps can present.
This tension has ushered in a cultural shift towards a security-first model known as DevSecOps. Similar to the unification of IT Development and Operations, DevOps has aligned with the InfoSec domain to safeguard the entire DevOps workflow from strategy, through security policy, process, and technology, and at every stage of the DevOps lifecycle.
Secure with a DevOps Methodology
Shifting to a security-first model for software development involves a mindshift in security operations and practices.
Traditionally security compliance checks on software happen at the deployment stage of the lifecycle. If it passes security requirements, the application is approved to operate. If not, the application goes back to development to receive security patches that are often tacked on as afterthoughts. Following this method, one can see how traditional security check requirements would be counterproductive to DevOps.
Historically, DevOps has perceived security practices as a deterrent to its high-velocity development process. But contrary to that belief, embedding security into DevOps pipelines can address security flaws at the earliest stages of the DevOps process. This can be more time and cost effective than retroactively fixing non-compliant code or responding to a security breach.
According to Alan Shimel, an infosec expert and editor-in-chief at devops.com, “DevOps offers security groups a real chance to introduce security earlier in the development cycle so they can address issues earlier.”
Shimel indicates that software development lifecycle is a left to right process. It starts with planning, coding, testing, releasing, and then deployment and monitoring. Traditionally security enters near the deployment phase and is typically patched onto the code rather being built in as an integral part of the software from the beginning. Shimel says:
Injecting code analysis tools and automated penetrating tests earlier in the development process makes it possible for organizations to identify and eliminate security issues at every step of the development process.
Strengthening Security with DevSecOps
Traditionally, DevOps has been viewed as a risk by InfoSec teams, with its increased velocity of software releases seen as a threat to governance and security and regulatory controls (which, by the way, often require the separation of duties, rather than the breaking of silos).
To secure DevOps automation, and still enforce the need for agility, consider the following DevOps security practices and technologies:
- Adopt a DevSecOps model
Effective DevOps security requires cross-functional collaboration and buy-in to ensure security requirements are part of the entire product development lifecycle. DevSecOps will entail embedding governance and cybersecurity functions such as identity and access management (IAM), unified threat management, code review, and vulnerability management throughout the DevOps workflow. Done properly, security will be aligned with DevOps to enable efficient product releases, while avoiding costly recalls or fixes or patch updates products are released.
- Require Compliance of Security Policies & Governance
Create transparent cybersecurity policies and procedures that are easy for developers and other team members to understand and agree to.
- Automate DevSecOps Processes and Tools
Use automated security tools to analyze code, manage configuration, patching and vulnerability management, as well as privileged credential / secrets management. This is central to effectively scale security to DevOps processes. Automation can also minimize risk from human error, identify threats, problematic or vulnerable code, and issues with process and infrastructure. The goal should be to match the speed of security to the DevOps process to foster receptivity to integrating security practices.
A security-first model focuses on continuous monitoring and management of cloud security risks and threats, leveraging modern tools and automation techniques to ensure that, at all times, the organization is: Monitoring security threats through real-time discovery. Understanding these threats through deep insights.
Consider automating these security practices to ensure that application development passes security requirements from strategy to deployment.
- Threat monitoring and remediation
- Collecting, consolidating, and analyzing log data
- Audit reporting
- Malware and insider threat detection
- Early breach detection
- Compliance analytics and reporting
- Log and event data collection
- Incident response
- Intrusion detection
- Identity and access management
- Mitigation functions
Business transformation rests on all aspects of operations being agile and responsive, including security. Using DevOps security practices can help organizations establish a security-first approach that can lead to that outcome.