DevSecOps: Shifting Security Left Within the Agile World of DevOps

headerImage

Written by: Pooja Arya, Principal, Cyber Group Inc.

DevOps Background

A while ago, I was assigned an opportunity to manage the DevOps practices for one of Cyber Group’s customers. Initially, I  was uncertain of how  I would be able to add value by building and managing DevOps practices, especially when my prior experience has been with developing applications.

However, within a few days of implementing the DevOps practices, my perception was changed. I could see that building a DevOps practice was adding an enormous amount of value to the entire project team. The time for delivery-to-market was reduced significantly.  DevOps is a set of practices that automate the process between development and operation teams to build, test, and release software quickly and reliably.

Key benefits of DevOps include:

  • Improved operational support and faster delivery of features
  • More stable operating environments
  • Improved communication and collaboration
  • More time to innovate (rather than fix/maintain)

Security, Why Is It Important?

Recent research shows that around 58% of companies have had a data breach, and 41% of those come from a software vulnerability. We are not as safe as we think in Cyberspace. In the cases of T-Mobile, FB, British Airways, Equifax, and you can go on and on, it costs a lot of money to the company. Security mistakes could cost millions to organizations and severely impact their brand, customer loyalty, and all the other challenges that companies must face to rectify those vulnerabilities. Another study shows ransomware attacks, on average, cost around $5 million.  

Software is now developed in a more democratized, decentralized way and increasingly uses open sources.   Unlike in traditional times when we had everything on-prem and more secure, and this is where we became more vulnerable. There is still a Silo between DevOps and the Security team. Developers, based on their “Happy Path approach”, feel that nothing could go wrong.  Developers have their security checks executed at the final stages. Any threat found at that point of time would require a developer to code countless lines of code or go the undesired path of patching the hotfixes.

A few of the examples that I have seen in my work experience is exposing keys, passwords, tokens in GitHub Repo, creating DB in AWS or Azure without locking down the traffic from which IP  can access the DB. Imagine the impact any bad actor can do; there is more at risk and more impact that can happen.

Similarly, there are advancements on the ops-side for building their environments, provisioning services, building images or gold docker images, and using templates to create them. There has not been an equivalent advancement when it comes to security and compliance monitoring tools.  Collaborations between dev, ops, and security teams are missing. 

What is DevSecOps?

DevSecOps is a transformational shift left to incline towards the common goal of making security a first-class problem and participant in all phases of agile SDLC. This incorporates secure culture, tools to drive more visibility, collaboration, and including security into each phase of the DevOps pipeline. The program should not only focus on the technical aspects but also create the right framework that fits the organization’s business objective. There are 4 main pillars of the DevSecOps framework:

Governance

Establish the security guardrails and monitor the results.

People

Build collaborative working styles. Conduct training & awareness sessions.

Process

Define the integrated process flow.

Technology

Automate the recurring security task and inject security in each phase of SDLC.

1. Governance

 Establish security “Guardrails or Goals” and implement culture transformation. Define the roles &  responsibilities, establish policies and security metrics to evaluate the progress, then use these metrics to check for success rates and continuous improvement and finally enable automation.

2. People

Build collaborative working styles and include security with the development and operations team. Conduct training and awareness sessions with dev and ops teams about the current threats/breaches. This will not only improve the production deployment frequencies but it will also enhance the speed of deployments. Breaking the Silos between DevOps and the security team is important to ensure that everyone understands security is a “partnership” and not ownership of any one team. 

3. Process

Follow the shifting security to the left approach. Define the process that is right for the organization. It is never one solution that fits all organizations. Define and monitor the metrics and gated checks. Continuously work on improving the processes. This will reduce open compliance findings and decrease time in collecting the evidence for the auditors.

4. Technology

Provide a new spin to technology, driving for more automation and innovation. Harden the development pipeline by protecting the toolchain and infrastructure. This will result in improving the productivity of developers, increasing the pipeline velocity, and enforcing the controlled environment access.

Key Benefits of DevSecOps

Given the need to deliver software at a faster speed, security cannot be left behind. We need to start integrating security tools and metrics in the DevOps pipeline, injecting security in all SDLC phases, and strive for continuous improvement.

The significant benefits DevSecOps brings to business can be categorized into 4 major areas:

  • Continuous security
  • Increased efficiency & product quality
  • Enhanced compliance
  • Increased collaboration

By incorporating security throughout the process, everyone on the team becomes a security expert and the security team can be incorporated in a much deeper way than ever before. They become more proactive than reactive.  Automation frees security staff to focus on higher-level issues.

DevSecOps: How Can We Integrate Security Into DevOps?

A DevSecOps program requires continuous improvement to achieve the desired efficiency. Start with establishing the strategic drivers for DevOps teams to meet the changing business requirements without excluding security and compliance needs. Then design a DevSecOps operating model that includes designing data flows, developing standards, and mapping technologies and processes to core security operations. Monitor to ensure that the processes are followed, maintained, reviewed, and updated regularly.

Approach security as a journey, not a destination – this means developing it as a progressive security program. Tightly integrate security tools and processes throughout the DevOps pipeline and make it a secure SDLC process. Automate core security tasks by adding security controls early in the software development lifecycle. Continuously monitor and fix security defects across the application lifecycle, including development and maintenance. Invest time in finding the right tool that fits your organization’s needs and leverage it at each phase of the SDLC lifecycle.

 

Conclusion

In the era of cloud services and DevOps culture, it is high time we start thinking about having a Security-Focused Mindset for the development workflow without sacrificing speed. Integrating security practices and managing vulnerabilities and threats in the container space plays a very crucial role in any IT- AGILE environment. DevSecOps and CloudSecOps principles ensure full end-to-end security assurance activities, including Vulnerability Assessments (pre-production, post-production), automation of the cloud monitoring tools, and continuous monitoring reporting/metrics governing all security compliance issues across the entire cloud ecosystem.