Today CIO’s/CISO’s should revise DevOps to include Security module from beginning
DevSecOps, or the blending of an enterprise’s applications development with systems operations teams with collaboration of security has become a trendy IT topic. The new operating model is often employed in conjunction with Agile software development methods and leverages the scalability of cloud computing -- all in the interest of making companies more nimble and competitive. Today CIO’s/CISO’s should revise DevOps to include Security module from beginning. Investing in firewalls and perimeter defense isn’t bad per se but with high profile breaches due to exploits such as Heartbleed, Poodle, Bash etc. which left organizations with black eyes, it’s clear that simply guarding the borders is not enough. By adding security to a DevOps program, CIO’s/CISO’s and their teams will be forced to think about security in a more granular way -- at the start of the software development process, rather than as an afterthought.
DevSecOps can then be termed as its development, security and operations operating as a dynamic force to create solutions which are security eccentric with focus on a secure infrastructure.
Integrating security into DevOps to deliver “DevSecOps” requires changing mindsets, processes and technology. One must adhere to the collaborative, agile nature of DevOps to be seamless and transparent in the development process, making the Sec in DevSecOps silent. Below are the key prerequisites which organizations should inculcate to build on DevSecOps model:
- Adapt the Security Testing Tools and Processes to the Developers, Not the Other Way Around
- Quit Trying to Eliminate All Vulnerabilities During Development
- Focus should be on Identifying and Removing the Known Zero-Day/Critical Vulnerabilities
- Don’t Expect to Use Traditional DAST/SAST Without Changes
- All Developers should be trained on the Basics of Secure Coding
- Adopt a Security Champion Model and Implement a Simple Security Requirements Gathering Tool
- Eliminate the Use of Known Vulnerable Components at the Source
- Secure and Apply Operational Discipline to Automation Scripts
- Implement Strong Version Control on All Code and Components
- Adopt an Immutable Infrastructure Mindset
To start and build the DevSecOps model, one should be vary that with the rise of DevOps most security teams try to minimize risk by limiting the speed of change. Though minimizing risk is a valid goal, the method fails to address the requirements of extremely fast-moving, technology-dependent businesses. If security teams are going to be a core component of DevSecOps, they must impress upon development and operations that they can bring a series of tests and quality conditions to bear on production code pushes without slowing the process. If security parameters and metrics are incorporated into development and test qualifications, then the chance for security to be involved in the processes for DevOps will be much higher. Few of the challenges which may get incurred during implementation are:
1. DevOps tools and processes are great for staying innovative within tight release timelines but the risks of slack security remain real, immediate, and extremely costly. This makes DevOps outfit under pressure to implement stronger and smarter security measures.
2. While many security people have a good understanding of how to find application vulnerabilities and exploit them but they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program. Incorporating security people into the development lifecycle can be challenging.
One major challenge besides the above pointers is that until now security teams are considered as gatekeepers. They come into picture at the end of a product lifecycle. Considering this how can security teams align themselves with the developers keeping in scope that the tools both teams use are different? The answer to which is pretty simple: Security teams should always act as “Facilitators” rather than being termed as “Gate keepers/Toll barriers”. Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering “DevSecOps.” The following steps can be used to align seamlessly security with DevOps:
- Security Controls Must Be Programmable and Automated Wherever Possible
- Use IAM and Role-Based Access Control to Provide Separation of Duties
- Implement a Simple Risk and Threat Model for All Applications
- Scan Custom Code, Applications and APIs
- Scan for OSS Issues in Development
- Scan for Vulnerabilities and Correct Configuration in Development
- Treat Scripts/Recipes/Templates/Layers as Sensitive Code
- Measure System Integrity and Ensure Correct Configuration at Load
- Use Whitelisting on Production Systems, Including Container-Based Implementations
- If Containers Are Used, Acknowledge and Address the Security Limitations
Though DevSecOps is getting popular by the day, there are certain projects which aren’t suitable for DevSecOps. The following conditions can make a DevSecOps (Agile method) unnecessary for an application/project:
- Initiation and planning are quick & inexpensive relative to implementation, and yield an accurate, stable solution definition and plan
- The cost and timeline to implement the plan are clearly known and predictable
- The cost and timeline are well within any limits or constraints
Some of the tools which can be utilized to streamline the framework are WAZUH (OSSEC), ELK, and VERACODE etc. In the end, I shall like to conclude by saying that DevSecOps is a must have in enterprise app development and strategic for everyone in software. Organizations everywhere are now transforming their development from waterfall-native to DevOps-native tools and processes which means aggressively moving to Agile and DevOps practices to speed delivery of new applications.
The author is Technical Leader India - Cyber Security, Paytm