DevOps, the union of software development and operations that aims to produce and update applications at warp speed, has traditionally lacked adequate and automated security controls throughout the lifecycle. Building security into the DevOps process tends to slow down code production and application deployment, which is a major frustration for developers and managers.
All three must be equal parts of the process to properly incorporate security and ensure the release of safe, secure applications with less time and effort to fix avoidable security issues. This is often referred to as DevSecOps.
A look at security tools and controls
To make DevSecOps a reality, projects must begin with core security brought into the DevOps workflow in the planning phase. This type of integration may require a culture shift in many organizations, starting with the CIOs, who oversee both the DevOps and security teams. It also requires that security teams choose tools that offer speed and efficiency, lending themselves to the DevOps workflow rather than hindering it.
In addition to static and dynamic security tests, the following controls create more secure applications and infrastructures:
- Threat modeling and risk assessment. Security personnel must determine which threats are most likely to affect an application and its deployment and then perform a risk assessment to prioritize risks, examine which controls are already in place and determine which controls are needed.
- Vulnerability assessments. In addition to source code scanning, which detects errors specifically in the code base, vulnerability scans that search for potential weaknesses throughout the system should be a necessary part of DevOps. Some tools integrate with continuous integration tools and examine applications after each code modification, and identify code that contains vulnerabilities.
- Embedded security controls. One type of control, or tool, that's gaining traction is runtime application self-protection (RASP). A RASP solution monitors the security of applications and blocks calls that appear to be unsafe. RASP products include APIs for scripting and runtime policies, although implementation may involve web server plugins, servlet filters or library replacements.
- Configuration management tools. These tools automate the application of configuration states as well as deployments and application scaling. Tools are available for cloud environments or on premises.
- Log and event monitoring. Every networked environment needs some sort of log monitoring tool, especially in DevOps where developers and admins typically have escalated privileges.
For DevSecOps, use automation cautiously
Many security and DevOps practitioners agree that automation plays a key role in transforming the DevOps process into a DevSecOps process. Configuration management, event logging and monitoring, and system-level vulnerability assessments are just a few controls that can be automated and potentially incorporated into the build process.
For example, Ansible, Chef, Puppet and SaltStack are popular configuration management tools for automating application development and delivery. Many of these tools also enable the enforcement of security policies.
When selecting automation tools, consider what's already being used by the DevOps team and determine if it's adequate for security integration. Also, keep in mind that configuration management, by its nature, can introduce vulnerabilities. So the process should include an automatic scan whenever vulnerabilities are detected.
Racing against time to deliver a new application or new features won't satisfy customers if the end product poses a significant security risk. It's time to switch from DevOps to a DevSecOps model to build trust, ensure accountability and make your applications more consistent and predictable.
Are you ready to build security into your DevOps process?
Why security needs to be part of DevOps
DevSecOps is DevOps, new and improved