DevSecOps: The Intersection of DevOps and Security

Marlo Vernon January 07, 2019

The Intersection of DevOps and Security Blog Banner Image

DevSecOps is transforming the way businesses meet continuously evolving customer requirements. With the speed at which DevOps allows for feature and service releases, it can be difficult for security to keep up the pace. According to a survey by Threat Stack, more than half of the companies questioned cut back on security measures in order to meet a deadline. However, side-stepping security for the sake of speed can expose your business to many risks.

Let’s take the example of Uber near the end of 2017. Uber faced a security breach where the personal details of 57 million customers and 600,000 drivers were exposed. The company had to pay a ransom of $100,000 to the hackers to delete the breached information. The breach occurred because engineers failed to secure credentials on a GitHub site they were using. These credentials were then leveraged using stolen privileges to gain access to Amazon AWS instances supporting Uber. An archive file containing the information was compromised. Developers frequently embed credentials and other DevOps secrets arbitrarily into the code for easy and quick access. Unfortunately, hackers take advantage of these situations and prey on their negligence.

Security Before DevOps

In a traditional model, a security check of applications is performed at a later stage in the software delivery lifecycle. However, with the practice of continuous deployment and integration (CI/CD), late-lifecycle activities can be significant obstacles to the constant delivery of customer value. All jobs are done by the time a security threat is discovered and thus, in order to meet the deadlines, patching is preferred compared to altering hundreds of lines of code. If security is considered an integral part of the process–right from step one–any vulnerability can be addressed as soon as it’s detected during the entire course of the workflow.

DevSecOps is an idea of incorporating security into DevOps, ensuring security flaws are exposed at an early stage. It can be defined as the use of secure, agile workflows between development and operations, with constant analysis and monitoring throughout the process. By detecting security vulnerabilities much earlier, you can reduce the risks, saving dollars and resources. You get more time to add customer value to your software and spend less time and money fixing security incidents that are identified later in the product lifecycle.

DevSecOps Lifecycle

(Gartner Report: DevSecOps: How to Seamlessly Integrate Security Into DevOps)

The Idea Behind DevSecOps

Before we look at how you can implement a successful security-focused DevOps model (DevSecOps), let’s delve into how misuse of DevOps tools and practices can potentially create security issues:

1. In a DevOps environment, the speed at which code is pushed and modified often outpaces that of security teams. It becomes difficult for them to keep up with code reviews. As a result, information critical to application security, like passwords, gets exploited by hackers leading to operational dysfunction.

2. DevOps teams frequently leverage new open-source tools to manage hundreds of security groups and server instances. A single misconfiguration error or security malpractice can propagate, causing operational dysfunction, or various security and compliance issues.

3. Containers are very popular in a DevOps environment due to the consistency and efficiency they provide to the developer–from development to production. However, they can pose security risks. Very often, containers are not scanned for vulnerabilities.

4. One of the common mistakes in a DevOps environment is inadequate secrets management. This provides a tantalizing opportunity for hackers to tamper with security and manipulate your IT infrastructure.

Splunk Homepage Screenshot

The DevSecOps View

Integrating DevOps and Security:

Here are some helpful tips to follow when building a system of continuous deployment and integration, in a DevOps culture, while still maintaining a high level of security:

1. Cultural Shift:

Security should be a part of DevOps. There is a perception that including security into DevOps will slow down or derail the process. Bringing a culture change to the organization is critical. DevOps teams require a shift in their thought process. They need to partner with security teams and work together to overlay suitable controls. Everyone should be responsible for adhering to the security best practices in their roles.

2. Automation:

To scale up security while maintaining DevOps speed, use automated security tools for configuration management, code analysis, vulnerability management, and credential management. Apart from the speed, automation reduces the risk arising from human error and the associated vulnerabilities or downtime.

3. Impose Policy and Governance:

Craft transparent cybersecurity policies and measures that are understandable and agreed upon by developers and other team members. These guidelines will help teams write code that meets security standards. Ensure all tools, devices, and accounts are discovered continuously, authenticated, and brought under security management in accordance with the policies.

4. Secure Access via Secrets Management:

Remove embedded credentials that are inserted in code, files, scripts, service accounts, and other tools. Separate passwords from the code so that they’re stored in a centralized password safe when not in use.

5. Harden the Container:

Secure the underlying operating system to prevent container breaches.

6. Enhance Visibility:

DevSecOps, the intersection of DevOps and security, helps you collate the information collected at every stage of the software lifecycle in order to gauge the health and efficiency of your process in real-time. Capturing the security testing information and making it accessible through a centralized platform can help development and security managers monitor risks and identify trends. DevOps team managers can use this information to minimize the introduction of security defects from the very beginning. On the other hand, security practitioners can use it as a benchmark to analyze the success of security controls embedded in the development process.

Conclusion

Incorporating security in DevOps can help you detect and remediate code vulnerabilities and operational flaws in the early stage of the software delivery lifecycle, enabling a productive DevOps ecosystem. Incorporating security at every part of the DevOps lifecycle ensures that security underpins each part of the application development process. It minimizes the likelihood of a data breach and enables the development of powerful technology in order to meet customer business requirements.

If you want to integrate security into your DevOps pipelines, you should adopt tools and practices that bring the development, operations, and security teams to a common, thoughtful process of security-focused DevOps, commonly called DevSecOps.

Centralize deployment data, security tools, and alerting with VictorOps collaborative incident response. Sign up for your own 14-day free trial to improve collaboration, build more robust systems and make on-call suck less.

Ready to get started?

Let us help you make on-call suck less.