A well-known practice affecting businesses detrimentally is performing security checks on products towards the end of the development life cycle (SDLC). Adherences are thus enforced very late into the process, and when there is no pressure for a fast deployment, this model may very well work for the most part. However, in modern enterprise practices, product deployments and feature upgrades happen more rapidly, as the focus has shifted towards Rapid Application Development (RAD) and deployment.
This necessitates the practice of DevSecOps, which combines development and operations teams with the security teams, instead of siloed approaches that bring a divide between all these teams/departments.
“70% of DevOps team members have not been trained on how to secure software adequately” - DevSecOps Global Skills Survey
The whole idea of a DevOps model depends on increased visibility and collaboration between interconnected departments inside any organization. With the new and advanced culture of adopting DevOps into companies, synergizing all parallels until a products’ successful release, becomes inevitable for any modern team structure. Hence, DevSecOps automation plays an important role of bringing development, security and operations together.
There are several key things to notice when trying to adapt DevSecOps as part of core development:
Planning
Imagine that an organization, say XYZ, has well-defined roles and trained professionals working on their new product. When developer ‘A’ wrote their code, they passed it through the pipeline to the next phase, and it was taken through till the final stages of development. But, when the product came into production, the build fails and several errors pop up, and the security team tries to track them down. They eventually find out that the problem has to do with the source code from ‘A’, and it needs to be changed. Unfortunately, A has moved on from the module or the project itself. Now, the security team will have to wait almost half of the development timeline to get the errors fixed, in order for them to test it again. This becomes a painfully long process if there are other such security touch ups to be done somewhere else. Now, XYZ has to rethink their methodology in terms of software development.
This kind of scenario has forced software teams and organizations to reassess their security testing methods. This kind of reassessment of earlier security solutions is now seen as the SHIFT-LEFT approach in DevOps. Including security tests at every phase of development, and enforcing clear code checks from the ground up, can change the entire process flow inside an organization.
During the planning phase, the role of people inside the organization should not be overlooked. DevOps is a change of mentality, and thus everyone should be on board with the new order of working, while stressing on the impact that it can create.
Automation
Rapid testing can be enforced easily, when it is done through automation. Through a DevOps Maturity Assessment Model, an organization can understand if they are ready to develop and run automated workflows. The final result of successful DevOps is automating every predefined step, to the point that most of the routine activities have been automated.
Automated source code review –
As we were discussing earlier with organization XYZ, the operations and security team could be dealing with risks as severe as an SQL injection at the source code. To put an Automated source code review system in place, the ideal solution is to build an automation tool from the start. With each iteration, the model will build accuracy, and the testing will be more secure, as well as proprietary.
However, with lack of time and resources, organizations can also opt for the numerous open-source libraries through apps that have been performing well.
With Automation in place, every error, or build fail will get reported. The reports can help mitigate these errors early on, hence preventing the aforesaid problem of late security measures. This will ensure that the bugs get fixed before they become exposed to the public.
“Automation is a culture and ground reality” – Black Hat Summit-2019
Vulnerability management –
Vulnerability management should be the start of the processes for security in DevOps. A vulnerability scan can be run at every major point during development, and they will generate reports so that the whole team will be informed of the precautions and the necessary steps that are taken to ensure security.
Vulnerability scanning will endorse practices such as SAST (Static Application Secure Testing) and DAST (Dynamic Application Secure Testing), with pre-commit hooks and bug tracking facilitations. These can be filtered out for the developers, and can be shared across all departments to keep with the conventions.
As an integral part of the CI/CD process, the vulnerability tests can make the workflows better with the least backtracking, and product rollbacks, making the job easier for the ops team as well as the developers.
Tools and Resources
Whether it be test automation tools, or security management, dev and ops security must have a consensus on which tools they must use. While proprietary tools increase security, open-source applications can increase productivity, and save time and money.
Every security technology will have its own set of weaknesses and strengths. Identifying them and aligning them to the business focuses and goals will the most important aspect in choosing them.
Experts advice that there should be a secret management system to protect microservices and document credentials, API keys, and other secure information. The secret management tool must be shared with the entire codebase.
On top of that, security problems can arise from unseemly places such as from assets and decks shared from other departments inside the organizations. Therefore, monitoring assets is also a precautious effort that needs to be taken by the security teams.
Code Level Security
Enforcing secure coding is the SHIFT- LEFT approach that has been transforming the way organizations worked in the past. Secure coding practices and moving away from the traditional waterfall model. SAST and DAST will take care of the low-hanging fruits in terms of threats, during development and make the code safe for the production environment. As a result, there will be lesser issues to run into for deployment, and wards off any instances of security compromise, risky public exposure.
Compliances to several regulations such as the General Data Protection Regulation (GDPR) of the EU, and adhering to the OWASP Security Guidelines in there will be an informed step in the culture change.
Besides the own code risks, there are code dependencies risk, that comes at the source code level. Take special care to avoid discarded or vulnerable modules during coding. Third part coding languages also come up with a bunch of security risks. Perform software code analysis to mitigate these issues from the start.
External Threats
External security risks are largely dependent on how an organization views its infrastructure. Progressing towards a DevOps Threat Modeler, and other advanced DevSecOps practices, companies need to map out security concers, and be careful about how they manage everything, including the cloud architecture.
Containerization and orchestration can serve as an extra layer of insulation, as external attackers can only access concealed services behind proxies, and not individual containers. Orchestration tools and service meshes enable role-based configurations that will protect data and accessibility.
The better technological developments in the industry has birthed IaC (Infrastructure-as-a-Code), which will focus on several aspects of cloud management, that will include security at its peripherals.
Cloud security will focus on patching servers against attacks, scanning docker images, cloud workload protection, and other contextually relative activities.
The DevSecOps team need to prepared to face any security threats, so that the organizations do not lose face in the event of a security breach. Several examples of these type of attacks in the recent past, makes Security all the more important.
Security cannot lay beyond the doorway anymore, and is required to be injected into every part of the development pipeline.
Since Rapid Application Development (RAD) and rapid Deployment has become a requisite need in the present scenario, security loopholes can only be fixed with rapid testing, and automated security tools. Since there was no particular focus on agile approaches or faster production, it was not a great impediment. However, security checks can no longer be seen as the endpoint.
Forerunners in the industry stress on this point, when they say that the people in the security side and development side should not be throwing things over the wall at each other. DevSecOps combines the two teams together to achieve optimal performance and stable deployments.
Innominds has helped a lot of our clients in finding the ideal security strategy in concordance with the latest DevSecOps practices. We know the ins- and -outs of Enterprise Security, with professionals that fall under the ‘elite’ category for the skills required to become the world’s leading DevOps engineers. We have the tools, the industry knowledge and the expertise needed to vaccinate your organization against all security threats - the DevOps way.
References: https://www.redhat.com/en/topics/devops/what-is-devsecops
https://resources.whitesourcesoftware.com/blog-whitesource/devsecops
https://dzone.com/articles/top-secrets-management-tools-compared