DevSecOps has become one of the hottest buzzwords in the DevOps ecosystem over the past few years. In the abstract, it’s easy to understand what DevSecOps means and why people care about it: it’s a strategy that extends DevOps efficiencies to software security.
But when you sit down and actually start implementing DevSecOps, things can get trickier. There is no switch you can flip to go from DevOps to DevSecOps. Implementation requires a set of tools and practices.
Let’s take a look at how to do that by walking through the main considerations that the typical organization must address when it comes to DevSecOps.
Traditional security practices involve a waterfall process whereby developers create software that is then scanned and tested afterward by security practitioners. But as development cycles continue to shrink, this tacked-on approach creates an unacceptable bottleneck. DevSecOps—short for development, security, and operations—was designed to address the issue by integrating security into every phase of the software development lifecycle, from initial design through integration, testing, deployment, and software delivery.
Shifting security left to earlier in the software development life cycle (SDLC,) lets development teams implement fixes earlier in the production process, when they’re easier, faster, and less expensive to fix. Ultimately DevSecOps removes the security silo, making application security a shared responsibility of development, security, and IT operations teams.
This is part of an extensive series of guides about DevOps
DevSecOps is designed to deliver “software, safer, sooner”, an increasingly vital requirement for today’s app-driven world. The process delivers the following key benefits:
Developers and IT/operations specialists work together as one team in DevOps. They establish shared goals, processes, and KPIs to deliver software and applications and analyze, update, and improve the delivery process.
In DevSecOps, developers and IT/operations are joined by security staff to meet these shared goals and to add security to the process. DevSecOps integrates security-related tools and implements security practices earlier and throughout the SDLC. This improves the integration of security into the CI/CD process, making it simpler, faster, and more efficient to make security changes throughout the SDLC.
How do you translate those goals into practice? Which specific security processes can you automate and integrate into the rest of your CI/CD pipeline, and how can you do it?
Let’s explore those questions and look for some answers, based on the current state of DevSecOps tools and practices.
Scanning your code for vulnerabilities is a basic first step for securing your products. And integrating vulnerability scanning into your CI/CD process is an obvious place to start for implementing DevSecOps.
What this means is ensuring that code is checked for vulnerabilities at every major stage of the delivery pipeline – from the time it is written to when it is deployed into production. To achieve this level of integration, you’ll need to ensure that the parties responsible for these various stages of the pipeline have the training and tools they need to detect vulnerabilities in your code.
There is a range of tools to do this, as follows:
Software Composition Analysis (SCA). SCA tools perform automated scans of an application’s code base, including related artifacts such as containers and registries, to identify all open source components, their license compliance data, and any security vulnerabilities. In addition to providing visibility into open source use, advanced SCA tools also prioritize vulnerabilities by level of risk and automatically remediate them.
Static Application Security Testing (SAST). Also known as white-box testing, SAST enables developers to detect security flaws in their custom source code. It is usually implemented very early in the development cycle as it scans an application before code is compiled. SAST is the most mature and easiest to deploy of the application security testing (AST) tools.
Interactive Application Security Testing (IAST). IAST uses agents and sensors in running applications to detect vulnerabilities in real time. IAST can identify the problematic line of code and notify the developer for immediate remediation. It is highly scalable and easily integrates into the CI/CD pipeline. Dynamic application security testing (DAST) is a type of black-box security testing that looks for security vulnerabilities by simulating external attacks on an application while the application is running. It attempts to penetrate an application from the outside by checking its exposed interfaces for vulnerabilities and flaws.
Runtime protection is another critical security process that should be integrated across the CI/CD pipeline as part of a DevSecOps strategy.
Runtime protection secures software against threats that can arise when your application starts running. Although discussions about runtime security have traditionally centered on securing software only once it is in production, runtime threats can exist during earlier stages of the pipeline, too – and even if they don’t, thinking about runtime security early in the delivery process helps ensure that when you do deploy, you’ve already mitigated runtime threats. Both of these reasons are why runtime security should be integrated across the CI/CD pipeline, and not limited to production environments.
The specific tools and strategies that you use for runtime detection will vary depending on your specific needs. At a minimum, however, you’ll want to ensure that you are monitoring your application for unusual behavior that could signal a breach. Just as important, you should be aware of which environment variables or configuration settings could create security vulnerabilities in runtime and have a process in place for identifying those risks.
Another important strategy for integrating security into your application delivery process is to take advantage of the security features offered by your cloud service provider (CSP). Many of these tools are positioned at the deployment and post-deployment end of your DevOps chain, and thus resemble more traditional after-the-fact security services. But they still serve an important function as part of your application’s outer defenses — and because they are part of the cloud infrastructure, they are generally easy to automate and systematize.
Note that your CSP’s security features may not be enabled by default, and they may need some configuration, so you may need to take active steps in order to make the best use of them.
Setting standards and policies for security is largely a hands-on job. You can scan your source code and infrastructure for vulnerabilities, but the process of deciding what your security priorities should be and how they should be implemented still requires serious thought on the part of human beings. The same is true of building in security standards at the design and code levels.
The implementation of the General Data Protection Regulation (GDPR) on the part of the EU makes it even more important for security standards to be clearly formulated and put into place at the level of design. Building such standards at the operational level, on the other hand, can be automated to a large extent, by using orchestration tool/service mesh features such as RBAC (Role-Based Access Control) to enforce policies with a high degree of granularity. The design of role-based access policies should be given as much attention as the design of security standards in your application source code — and they should both be regarded as high-priority tasks.
Container orchestration tools such as Kubernetes have become a near-necessity when it comes to deploying large, container-based applications. Service meshes, which can work with orchestration tools and manage such things as service discovery and access, as well as the relationship between users, container-based applications, and external services, are becoming increasingly important in their own right.
Tools such as these are key elements of DevSecOps at the deployment level. They act as highly scalable layers of insulation between containers and the outside world (so that users and would-be attackers can only access services concealed behind proxies, for example, rather than individual containers), and they can take care of such tasks as authentication, authorization, and encryption. And they are designed for automation from the ground up. Even more than with CSP security tools, however, you need to be aware of the security features that orchestration tools and service meshes provide, and you need to enable (if necessary) and configure them. Kubernetes’ role-based access configuration (RBAC), for example, should be a key element of DevSecOps under most circumstances, but it is not enabled by default.
Implementing DevSecOps requires you to perform a broad evaluation of your existing IT resources and DevOps processes, then build a holistic strategy that integrates stronger security into all of them. To successfully transition from DevOps to DevSecOps you need to:
You can dig deeper into how you can transform from DevOps to DevSecOps at scale by watching this webinar.
As previously mentioned, DevSecOps takes a different approach to how and when security scanning and fixing happens. Ensuring that this approach works well requires your organization to adopt a new culture that supports the DevSecOps philosophy. To achieve this, you’ll need to perform a broad evaluation of your existing IT resources and DevOps processes, and implement changes that:
Put developers first. Make sure that the security tools and solutions you introduce are easy to understand and easy to use for developers. Ideally, they should integrate into developers’ existing workflow so they don’t even need to switch to a different tool to perform scans or remediation. If the tool is seamless to use, developers will adopt it, security will shift left, and will be instilled throughout the SDLC.
Prioritize vulnerabilities and reduce false positives. A significant obstacle that teams face is that they get overwhelmed with scan results. Modern security scanning can generate too many alerts of vulnerabilities for teams to handle. At best this means they simply don’t address them fast enough and at worst they choose to neglect the alerts because they’re too intrusive and it’s impossible to fix them all. Overcoming this challenge requires a tool that can prioritize the vulnerabilities that can really affect you based on your particular requirements and your specific patterns of using code, components, and dependencies. With this improved level of specificity, you will generate far fewer false positives in your security scans. You will get fewer alerts and those you do get will be more accurate and deserving of your attention. This makes the security process more accurate, and more reliable, and will encourage greater adoption.
Embrace automation. Automation can transform your security processes by enabling prioritization, reducing false positives, and removing the need to perform repetitive and time-consuming tasks manually. Automation significantly accelerates the scanning and remediation of vulnerabilities and hugely enhances the accuracy and targeting of this activity. This plays into the main objective of implementing DevSecOps, which is to automatically inculcate security directly into everyday development tools and the CI/CD pipeline.
Share responsibility and encourage communication. In a DevSecOps culture there are no silos, so developers must understand and learn that scanning for and remediating vulnerabilities is no longer just the responsibility of security colleagues at the end of the development process. Now, security is intrinsic to an iterative and integrated end-to-end development process in which everybody should be involved. You can begin to change your culture incrementally, by encouraging new practices like undertaking security checks in code review. And with the implementation of CI/CD pipelines, you can build a unified workflow that bakes security into your workflow or SDLC from the very first lines of code that your teams write.
Foster transparency and visibility. Breaking down silos requires teams to communicate more, so they’re aware of more issues that need to be fixed. Silos may have traditionally been a way of ring fencing information and stopping dangerous code and software from spreading from one part of an organization to another. However, silos also make it difficult for different teams to communicate, so valuable information and findings can get withheld or miscommunicated between teams. Eradicating the isolation of developers and operations from security folk gets rid of this problem and encourages more transparency and visibility that contributes to a better, more secure environment.
Educate and encourage ongoing learning. Hand-in-hand with these factors is the need to train your teams so they all understand the DevSecOps philosophy, they have the right knowledge and tools to deliver it and they are all unified in pursuit of shared goals. This may require investment to bring your existing teams up to speed with new methodologies and tools, and the ever-changing nature of components, dependencies, and software development means that you can never stop learning more about the latest updates in code, software, and applications.
There are other important aspects of DevSecOps that should factor into your implementation strategy such as monitoring, log analysis, and alerting. Many of these, however, are standard elements of software and Internet security overall, so I haven’t focused on them in this post. Instead, I’ve centered discussion on how DevSecOps can fully integrate application development, infrastructure management, and other DevOps activities which have not been traditionally associated with security.
And maybe that is the bottom line: when security becomes fully integrated with the CI/CD pipeline, DevOps and DevSecOps become the same thing, and that in turn becomes simply “the way we do software.”
Perform a broad evaluation of your existing IT resources and DevOps processes and leverage the following tips:
Constantly monitor the performance of your DevSecOps. Stay up to date on the latest vulnerabilities, tools, and fixes, and ensure that they are integrated into your processes seamlessly. The threat landscape never sleeps, so you must be equally adaptable, responsive, agile, and nimble in your adoption of new updates, techniques and tools.
DevSecOps is a work methodology. Its aim is to optimize collaboration and understanding between software developers, IT operations departments, and application software security professionals to increase agility in development and deployment processes. DevSecOps is more than just a set of tools and skills. It is a philosophy about a way of working together to maximize the effectiveness of software and applications and to minimize the risks that can arise from their development.
At Mend, we are focused on providing you with a platform and tools that complement the work of DevSecOps, support the demanding deadlines of modern application development environments, and improve AppSec outcomes.
Check out our webinar, “Building a Modern Application Security Strategy for an App-Run World,” in which Jeffrey Martin, VP of Outbound Product Management at Mend, and Janet Worthington, Senior Analyst at Forrester, discuss the state of application security today.