DevSecOps: A Game Plan for Continuous Security and Compliance for your Cloud27 Mar 2017
Cloud is agile. Cloud engineers work continuously on iterations based on the continuous integration/continuous deployment (CI/CD) model of development and deployment. And DevOps is an integral part of the entire CI/CD spectrum. While DevOps makes it possible for the code to deploy and function seamlessly, where does “security” stand in this agile, CI/CD environment? You cannot afford to compromise on security and turn your infrastructure vulnerable to hackers, for sure! So, here comes the concept of “DevSecOps” — the practices of DevSecOps.
The concept of DevSecOps thrives on the powerful guideline: ‘Security is everyone’s responsibility.’ As we witness it, rapid application delivery is dramatically transforming how software is designed, created, and delivered. There is sense of urgency and in pushing the limits on the speed and innovation of development and delivery. The rise of DevOps creates opportunities to improve the software development life cycle (SDLC) in tandem with the moves being made toward agility and continuous delivery. However, how secure is the transition? And how can we make it secure? The answer is DevSecOps.
[mk_blockquote style=”quote-style” font_family=”none” text_size=”12″ align=”left”]We won’t simply rely on scanners and reports to make code better. We will attack products and services like an outsider to help you defend what you’ve created. We will learn the loopholes, look for weaknesses, and we will work with you to provide remediation actions instead of long lists of problems for you to solve on your own. — www.devsecops.org [/mk_blockquote],”
First, let’s analyze the true state of security in DevOps. Consider these points:
- Where does your organization stand in the transition to DevOps?
- How security measures are included in the transition?
- What are the opportunities and obstacles in improving security practices in a DevOps environment?
In a recent study conducted by HPE Security Fortify team, the results provide insight into current DevOps security practices at both large and mid-sized enterprises. Analysis of the report highlights multiple gaps that exist between the opportunity to have security as a natural part of DevOps and the reality of the current implementations.
The research has unearthed few key facts, such as:
- Everybody believes that security must be an integral part of DevOps and transformations on DevOps will actually make them more secure. However, with higher priority on speed and innovation, very few DevOps programs actually have included security as part of the process since it’s deemed to be of much lower priority
Image Source: http://sdtimes.com/hpe-security-fortify-report-finds-application-security-lacking-devops-processes/
- This problem could worsen in DevOps environments because silos still exist between development and security
So what about it and what’s next?
Make security better; DevOps can do it
Application security and DevOps must go hand-in-hand. An opportunity lies with to make security an integral part of development and truly build secure coding practices into the early stages of the software development life cycle (SDLC). Thus, DevSecOps can attain the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the required safety.
With the rapid changes happening in DevOps, traditional security seizes to be an option. Very often, the traditional security is far too late in the cycle and too slow to be cooperative in the design and release phases of a system that is built by iteration. However, with the introduction of DevSecOps, risk reduction cannot continue to be abandoned by either the business operators or security staff; instead, it must be embraced and made better by everyone within the organization and supported by those with the skills to contribute security value into the system.
DevSecOps as a cooperative system
A true cooperative ecosystem will evolve when business operators are supplied with the right set of tools and processes that help with security decision making along with security staff that use and tune the tools. Now, the security engineers more closely align with the DevSecOps manifesto, which speaks to the value that a security practitioner must add to a larger ecosystem. DevSecOps must continuously monitor, attack, and determine defects before non-cooperative attackers, read external hackers, might discover them.
Also, the DevSecOps as a mindset and security transformation further lends itself towards cooperation with other security changes. Security needs to be added to all business processes. A dedicated team needs to be created to establish an understanding of the business, tool to discover flaws, continuous testing, and science to forecast how to make decisions as a business operator.
Don’t miss the opportunity!
According to the recent research reports, the current state is that most organizations are not implementing security within their DevOps programs. This need to be changed and application security must be prioritized as a critical DevOps component. A secure SDLC must be incorporated as a disciplined practice, along with DevOps to define and implement diligent DevSecOps.
DevOps is a much thought about and evolved practice. The promise that it brings down organizational barriers towards swift and driven development and delivery has to be translated into security as well. A concentrated approach must be in place for organizations, to build security into the development tool chain and strategically implement security automation.
DevOps is good; DevSecOps is better
Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering ‘DevSecOps’, summarizes a recent Gartner report on how to seamlessly integrate security into DevOps.
The key challenges discussed in the report are:
- DevOps compliance is a top concern of IT leaders, but information security is seen as an inhibitor to DevOps agility.
- Security infrastructure has lagged in its ability to become ‘software defined’ and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way.
- Modern applications are largely ‘assembled’, not developed, and developers often download and use known vulnerable open-source components and frameworks.
In 2012, Gartner introduced the concept of ‘DevSecOps’ (originally ‘DevOpsSec’) to the market in a report titled, “DevOpsSec: Creating the Agile Triangle.” The need for information security professionals to get actively involved in DevOps initiatives and to remain true to the spirit of DevOps, embracing its philosophy of teamwork, coordination, agility, and shared responsibility were the key identified areas in the report.
In the recent report titled, “DevSecOps: How to Seamlessly Integrate Security Into DevOps”, Gartner estimates that:
- Fewer than 20% of enterprise security architects have engaged with their DevOps initiatives to actively and systematically incorporate information security into their DevOps initiatives
- Fewer still have achieved the high degrees of security automation required to qualify as DevSecOps.
This calls for optimization and improvement in overall security posture by designing a set of integrated controls to deliver DevSecOps without undermining the agility and collaborative spirit of the DevOps philosophy.
With DevSecOps on the cloud, security becomes an essential part of the development process itself instead of being an afterthought.
DevSecOps is an objective where security checks and controls are applied automatically and transparently throughout the development and delivery of cloud-enabled services. Simply implementing or relying on standard security tools and processes won’t work. Secure service delivery starts in development, and the most effective DevSecOps programs start at the earliest points in the development process and follow the workload throughout its life cycle. Even if you aren’t actively using DevOps, try to implement the security best practices to accelerate the development and delivery of cloud-enabled services.
- Equip DevOps engineers to start with secure development
- Empower DevOps engineers to take personal responsibility for security
- Incorporate automated security vulnerability and configuration scanning for open source components and commercial packages
- Incorporated application security testing for custom code
- Adopt version control and tight management of infrastructure automation tools
- Adapt “continuous security” in tandem with “continuous integration” and “continuous deployment”
If you haven’t already, get involved in DevSecOps initiatives and start pressuring all security stakeholders for better security measures. Begin with the immediate scanning of services in development for vulnerabilities, and make OSS software module identification, configuration and vulnerability scanning a priority. Make custom code scanning a priority. As quoted by Madison Moore of SDtimes in one of her posts on DevSecOps, “mature development organizations finally realize how critical it is to weave automated security early in the SDLC.” And the Sonatype survey says it all.
Image Source: http://sdtimes.com/report-organizations-embracing-devsecops-automation/
The Bottom Line
Successful DevSecOps initiatives must remain true to the original DevOps philosophy: teamwork and transparency, and continual improvement through continual learning.
Interested in knowing more about DevSecOps? We are just an email away: firstname.lastname@example.org; and very much social: Twitter, Facebook, or LinkedIn. You can also drop in a line below in the comment section and get in touch with Botmetric experts to know more.
Latest posts by Editor (see all)
- May Roundup @ Botmetric: Deeper AWS Cost Analysis and Continuous Security - May 31, 2017
- What is NoOps, Is it Agile Ops? - May 25, 2017
- Why Botmetric Chose InfluxDB — A Real-Time Metrics Data Store That Works - May 18, 2017