DevOps + Security = DevSecOps? Not AlwaysThursday, October 11, 2018
DevOps is a growing and useful paradigm in web application development, but it fails to address the security issues plaguing today’s marketplace. The principles of DevOps, however, can easily integrate more effective security, paving the way for DevOps to become DevSecOps.
Briefly Defining DevOps and DevSecOps
DevOps is a culture of integrating development and operations. In an ordinary work environment, ‘Development’ is the division responsible for conceiving, designing and coding the product, while ‘Operations’ oversees production, distribution and service maintenance. In most cases, these departments are separate, with Operations usually depending only on documentation provided by Development to advise on the use and running of the product. Development is also bottlenecked by needing to wait for any pending code or features to enter production before they can begin work on new features.
With a DevOps-oriented team, both departments become more directly involved in each phase of product deployment. Key concepts for DevOps are ‘automation’ and ‘continuous monitoring’. When possible, DevOps environments find ways to automate as much as possible in the production cycle, while creating an infrastructure for monitoring and documenting any changes to the product or workflow.
Key concepts for DevOps are ‘automation’ and ‘continuous monitoring’
DevSecOps adds to this collaborative culture by integrating security into the workflow. The emphasis on automation and continuous monitoring is carried over from DevOps, with code being automatically tested not just for functionality, but for security as well. Analytics are employed during every phase of the production cycle to check for errors or potential breaches, and any change to the product or implementation is made with Security on board.
DevOps allows for flexibility and responsiveness in any phase of the production cycle; DevSecOps integrates strong, adaptive Security into this process
The concept of DevSecOps is open to a certain amount of interpretation. There is no recognized standard or arbitration defining the exact nature of a DevSecOps environment. Holistically integrating development, operations and security is a good way to summarize the concept, but how can this be realized from an idea into actual practices? Gartner suggests the following steps for a well-rounded DevSecOps culture to foster securely-designed and implemented products:
There is no recognized standard or arbitration defining the exact nature of a DevSecOps environment
Restructure the design and development process to integrate security.
DevOps focuses on automation to allow any new code or features to be deployed with efficiency and scalability; these same principles should be applied to security features. Policies should also be implemented to make security a core part of the product’s design down to the concept level.
Review product deployment and maintenance practice to integrate security into the process.
Just as DevOps automation helps in the creation and development phases, it also applies to service maintenance and real-world adaptation of the code. Security awareness should be integrated into this process, with infrastructure in place to roll out security patches responsively whenever any flaws are discovered.
Integrate access control into all products, internally and externally.
Policies should be put in place to ensure that members of the team can only access features and infrastructure that they need. Additionally, there should be security measures to monitor for unusual login activity, such as unfamiliar IP addresses or unusual user behavior. Consider incorporating MFA, CASBs and/or behavioral biometrics into the product and its development environment.
Policies should be put in place to ensure that members of the team can only access features and infrastructure that they need
Adopt a policy of proactive threat protection.
Security can no longer afford to be reactive in an increasingly cloud-based business landscape. Strong security policies should start from a zero-trust baseline and review the best available infrastructures to protect against attacks. Applications should be designed with segmentation in mind to minimize the damage of any breach.
Applications should be designed with segmentation in mind to minimize the damage of any breach
Incorporate strong data protection into products’ design and at a policy level.
The organization should maintain visibility into all user data handled by the application. Data at rest or in transit needs proper encryption. The team should continuously monitor what data is stored or used by the application, and have a framework in place for secure storage and destruction of unused data.
Handle security incidents and general service incidents with the same degree of importance.
All too often organizations respond to a service outage in their product within hours, while a known security breach can go for weeks without being addressed. A DevSecOps team should make no distinction between a code-related incident and a security-related incident; both should be treated as crucial to the integrity of the product.
Organizations of any size need to wake up to the changing landscape of security, especially with the growth of cloud-based products and the increasing emphasis on service providers. We have already examined a report stating that 100% of web applications are vulnerable in some way. This is arguably due to the production hierarchy seen in most organizations. At best, development and operations come first, with security being added on after the fact. At worst, features and production are considered first and foremost, with implementation and distribution only considered on their completion, and security an afterthought. As Ilia Kolochenko, CEO of High-Tech Bridge, explains:
100% of web applications are vulnerable in some way
“One of the biggest app sec problems today in many companies is an overall lack of application security strategy. DevSecOps is nascent, if not non-existent. Most companies don’t even have a comprehensive inventory of their applications, let alone assessed and attributed risks or compliance requirements. They desultorily try vulnerability scanners, RASP, IAST, NG WAFs and bug bounties, fail virtually everywhere and then blame the vendors and security analysts.”
DevSecOps is nascent, if not non-existent. Most companies don’t even have a comprehensive inventory of their applications, let alone assessed and attributed risks or compliance requirements
However, according to Forrester, in the first quarter of 2017 90% of organizations had either already implemented DevOps or were planning to within 12 months. This means the barrier to implement DevSecOps is lower than it has ever been, with integrated, automated workflows already in place in most cases.
90% of organizations either implemented or were expected to implement DevOps by Q1 2018
Secure by Design
The concept of DevSecOps naturally intersects with the principles of “Secure by Design” (or Security by Design – SBD). As a principle in software development, SBD simply refers to products that have been created with security as an integral part of the design. SBD covers secure data management, access control and damage minimization. OWASP has provided guidelines on the principles of Security by Design.
OWASP has provided guidelines on the principles of Security by Design
Under today’s stricter-than-ever security regulations, any effective implementation of DevSecOps must create its products and services with Secure by Design in mind. The GDPR’s Article 25 specifies that any data controller must implement technical and organizational measures to protect users’ data and ensure that only necessary and relevant personal data is ever processed or stored.
HTB’s Services can be integrated
One potential impediment to implementing DevSecOps is its feasibility. A DevSecOps environment needs to devote time and resources to security along every step of a product’s life-cycle. This can be expensive, but the solution must not be to decrease the emphasis on security at any point – this will defeat the purpose of DevSecOps and compromise the process as a whole.
Potential impediment to implementing DevSecOps is its feasibility
Cloud-based security services can provide a solution to this, but not every service integrates well with a DevSecOps environment – an ad-hoc vulnerability scanning service would need to be repeated with each change in the development or delivery process, quickly becoming outdated or expensive. High-Tech Bridge’s ImmuniWeb® AI platform, by contrast, offers continuous, intelligent application security monitoring and immediate breach detection. With full visibility of both internal and external web applications, it makes for a powerful tool, easily integrated into a DevSecOps workflow.