Secure DevOps and cloud computing are altering the design, build, deployment and operation of online systems. Learn more from Eric Johnson and Frank Kim of the SANS Institute.
By
Eric Johnson and Frank Kim
Published: 20 Mar 2018
DevOps and cloud computing are radically changing the way organizations design, build, deploy and operate online systems. According to the latest SANS application security report, 43% of organizations are now delivering changes to production on a weekly, daily or continuous basis.
With the increasing rate of change, traditional approaches to security can't keep up. Therefore, security, IT and risk professionals are left struggling to figure out how they can reduce risk in a DevOps world.
In the quest to reinvent security in DevOps -- also known as secure DevOps -- figuring out where to begin is the most difficult part. To help security professionals get started, the SANS security community created a visual aid that breaks down each phase of the continuous integration and continuous delivery process.
The new "Secure DevOps Toolchain" infographic identifies the key tools and processes to help organizations transition to secure DevOps. The five phases of the secure DevOps lifecycle include:
Precommit. Identify security activities that can be done before code is committed to version control. Threat modeling, rapid risk assessments, lightweight static analysis and precommited security hooks can identify threats and vulnerabilities before your application deploys to a live environment. Free tools, such as GitHub and GitLab, can help manage manual security reviews along the way.
Commit -- continuous integration. Fast, automated security checks should be done during automated code builds. This includes linting and static code analysis of infrastructure and application source code, executing security unit tests, and scanning for vulnerable dependencies. Also, when working in containerized environments, don't forget about container hardening and scanning.
Acceptance -- continuous delivery. Run automated security acceptance tests and functional security tests to make sure the system or application performs as expected. Infrastructure scanners ensure hardening baselines and compliance requirements are met, while application security scanners and automated security acceptance check that application security requirements are met.
Production -- continuous deployment. Execute security checks before, during and after code is deployed to production. Smoke tests, configuration checks and secrets management tools ensure systems and applications are secure after moving into production.
Operate. With ongoing security monitoring and auditing of production systems, this final post-production phase is important for performing game day exercises and tabletop scenarios, ensuring there are no unexpected vulnerabilities. Once you are satisfied with the level of security achieved, deploy a learning engine that will enable users to easily retrieve data from production for postmortem notes and reports. This information will help drive the next iteration through the process, as it can serve as a reference for what worked and what didn't during the design, build, deploy and operate stages.
In the quest to reinvent security in DevOps -- also known as secure DevOps -- figuring out where to begin is the most difficult part.
The "Secure DevOps Toolchain" infographic identifies many free, open source tools in each of the above phases to help security professionals transition to secure DevOps; for example, security scanners and compliance checkers from Amazon Web Services, Microsoft Azure, HashiCorp, Netflix, Etsy, Capitol One and many others in the open source community. The infographic also includes the "Securing Web Application Technologies (SWAT) checklist to help raise security awareness during software development.
DevOps is the future of development, so making secure DevOps the future of enterprise security programs is crucial. Education, information sharing and collaboration will play key roles in helping developers, operations and security professionals build and deliver secure applications.
About the authors: Eric Johnson (@emjohn20) is a principal security consultant at Cypress Data Defense where he leads secure software development lifecycle consulting, web and mobile application penetration testing, secure code review assessments, static source code analysis, security research, and security tool development. Johnson is a certified instructor with the SANS Institute where he authors application security courses on DevOps, cloud security, secure coding and defending mobile apps.
Frank Kim (@fykim) is a curriculum director at the SANS Institute and founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the SANS Institute, Kim led the information risk function for the most trusted source of computer security training and certification in the world. In his new role at SANS, he continues to lead the management and software security curricula, helping to develop the next generation of security leaders.
