DevSecOps Deep Dive Part TwoThursday, November 8, 2018
In the second part, we dive into product deployment and maintenance practice to integrate security into the DevOps process.
Part One of this series examined the Dev side of DevOps.
Ops and Sec in DevSecOps
In a DevOps workflow, ‘Operations’ refers to the running and maintenance of live services, as well as the launch, distribution and ongoing support of applications. With the cyclical nature of DevOps, part of Operations’ duty is to gather practical data on the real-world flaws, issues and successes of web applications in order to provide feedback to Development. Security should become a natural part of this process.
In the current environment, where security is a separate process provided by separate applications to defend systems with no built-in security of their own, security becomes a business inhibitor. A 2017 survey commissioned by Bromium Research found that 74% of CISOs said their users believed security was interfering with their work.
74% of CISOs have encountered complaints that security interferes with work.
With a more integrated DevSecOps approach to application development, security is not only seamlessly integrated into web applications, but the applications are inherently more secure with fewer breaches and less security-related downtime.
What is required to integrate security into operations?
Gartner’s advice is to “Reimagine How Services Are Securely Deployed and Maintained”. What does such a reimagination involve, and what key ideas should be implemented?
All too often, new code is received or written without proper validation.
The security firm RiskIQ later confirmed that Inbenta had been breached and the Magecart attackers had altered the code supplied by Inbenta to Ticketmaster. This would have been detected and could have been remedied had Ticketmaster employed adequate code validation in a DevSecOps process.
In order to prevent blunders like this, effective DevSecOps environments should have policies and infrastructure in place to properly validate any new code. This applies to validating internally-created code before deployment, and externally-sourced code before integration. This can partially be achieved with manual security checks, but automation should be applied where possible.
Adaptive Deployment and Patching
Businesses continue to be sluggish to respond to the need for patching in their components and infrastructures. A report released by Duo in 2017 found that only 31% of enterprise endpoints were running fully up-to-date versions of Windows 10. Patching can carry the risk – or at least the fear – of downtime in the company’s systems, and not all staff fully understand its urgency, so it can easily slip down the priority chain.
Only 31% of endpoints are running the most up to date version of Windows
It’s important to seek out new solutions and methodologies to incorporate continuous patching in the whole DevOps cycle. In contingencies, it can also be helpful to have responsive systems in place to temporarily roll-back applications to earlier versions in the case of new, more severe security issues arising in a component’s latest version.
Automation is useful because it reduces the capacity for human error. In 2016, Gartner found that the top obstacle for CIOs was the skills and resources of their staff. Since then, the worsening skills shortage in security has been continuously verified. Where you don’t have enough qualified staff for the work required, one approach is to reduce the necessary work – and this is best done through automation.
Today’s cloud-native platforms have the advantage of programmability and customizability; these assets should be incorporated into security, too. When possible, automated responses to detected security issues and threats should be implemented, and automated reporting when human action is required.
Continuous, Proactive Security
Shifting to cloud-native platforms and microservices affords new opportunities for proactive security. An approach suggested by Gartner is to systematically cycle microservices out of operation and reintroduce with no downtime in operations. This has the advantage of minimizing any damage even from undetected breaches. In general terms, continuous security means implementing controls and components – not just policies – with a focus on adaptive prevention and mitigation. High-Tech Bridge CEO Ilia Kolochenko explains:
An approach suggested by Gartner is to systematically cycle microservices out of operation and reintroduce with no downtime in operations.
“What is secure today can easily become vulnerable tomorrow. Frequently, an inadvertent human mistake or urgent business need leads to critical vulnerabilities despite severe policies and comprehensive security controls. Always keep in mind that application security a perpetual process, not a one-off investment."
Moving from DevOps to DevSecOps helps to achieve this.
DevSecOps should be considered a necessity rather than an option
Gartner specifies the most common cause of successful breaches against runtime applications as misconfiguration or mismanagement of security. We’ve certainly seen the damage done by failure to patch operation-critical components. The notorious Equifax breach, enabled by failure to implement a two-month old critical security update in the Apache Struts framework, resulted in the personal data of more than 145 million customers being compromised.
The most common cause of breaches is misconfiguration, mismanagement or error
We are still seeing the fallout and damage caused by this breach. On 19 September 2018, the UK’s Information Commissioner issued a £500,000 monetary penalty notice against Equifax Ltd. This was the maximum fine permissible under the Data Protection Act 1998. The incident happened between 13 May and 30 July 2017, before GDPR became active on 25 May 2018. Had GDPR been active at the time of the incident, the fine would have been considerably higher.
The ICO said, “Investigators found significant problems with data retention, IT system patching, and audit procedures.
While vulnerabilities may be introduced during Development, Operations is the impact point for any given breach. Since an application doesn’t begin handling customer data until it’s deployed, the team responsible for implementation and maintenance also bears the first responsibility for lost data. Gartner’s DevSecOps practices protect Operations from human error, ensure flexibility and adaptability and allow the organization to maintain compliance with minimal service disruption.
Implementing all these points into a DevSecOps workflow will require a multifaceted approach and thorough planning. One of the key aspects will be choosing the right components and services to keep operations running with minimal disruption. Since DevSecOps environments are by nature continuous work environments – development and deployment are on a continuous cycle of improvement and adaptation – security needs to respond to this with continuous scanning and scalable solutions.
In order to keep operations running both securely and smoothly, it’s important to identify security issues as quickly as possible and take a risk-based approach to dealing with them. No administrator wants to encounter frequent hours-long downtimes to fix minor, low data risk security issues as soon as they crop up. However, when a major issue arises, putting sensitive customer and corporate data at risk, it’s more economical to deal with patching and damage limitation as soon as possible. Otherwise, the company risks loss of compliance, hefty fines from regulators and loss of faith from consumers.
It’s important to identify security issues as quickly as possible and take a risk-based approach to dealing with them.
High-Tech Bridge’s ImmuniWeb Continuous application security testing is a powerful tool for continuous security monitoring, and can integrate effectively into a robust DevSecOps environment. With High-Tech Bridge’s award-winning human-augmented AI scanning and penetration testing, security flaws can be discovered and remediated swiftly. A visual, risk-based dashboard allows Security and Operations to work together, applying urgent fixes without unnecessary application downtime.