Written By: Jeremy Polansky, CISSP, Director of DevSecOps at Calavista
Putting Security at the Heart of DevOps
At Calavista, we were doing DevOps before it had a buzz-word title. Likewise, we’ve been doing DevSecOps for quite some time, and it’s about time we start calling it what it is.
If you want to learn more about DevOps and how it can speed up the software development lifecycle, check out some of our previous blogs like DevOps Methodology Explained or DevOps Metrics. It’s important to recognize that the many ways DevOps makes software development easier, sometimes can also make security breaches easier.
Why put the “Sec” in DevOps?
Processes like Automation, Continuous Integration, and Continuous Delivery allow developers to develop and deploy their code rapidly, over and over again. It’s possible to run multiple environments in parallel and to leave a lot of work up to automation. This saves hours of manpower and cracks open a world of possibilities for developers, but the tradeoff is that it can also introduce bugs and security issues more rapidly as well.
If your security screening and testing is not at least as fast as your development process, then the advantages of DevOps may be outweighed by newfound security problems. This is why security must be integrated into DevOps practices.
The Demand for DevSecOps
Think about it. In recent years, companies have been deploying software faster than ever. The software development lifecycle (SDLC) has become agile and continuous, which releases vulnerabilities into production with more speed and ease than ever. In order to keep up with the pace, security must apply in an equally speedy, agile, and continuous manner.
Even more, code never runs by itself. It runs on a server, on the cloud, by processes defined by the business and under governance from the industry or government where the company lives. All these components contribute to risk and must be properly evaluated for security weaknesses and mapped to the production server, but as the software and SDLC moves quicker, security teams must scale similarly.
But separating out security teams from development teams is not terribly effective either. As separate entities, it is all too easy for them to fall out of step, for security to fall behind. Good security also requires some knowledge of development and the SDLC. By working together, security can be integrated through the development and operations processes.
As with development and QA, development and security should go hand-in-hand. That means modern application security must be approached differently than other areas of security. Now with DevOps and the modern SDLC, we see the demand for the dedicated field of DevSecOps.
Using DevSecOps to Enhance Security
Hopefully, at this point, the importance of integrating security into DevOps practices and pipelines is clear. Still, that doesn’t mean that it is clear how to actually go about doing that. To “do” DevSecOps involves integrating development and security, using DevOps technology to advance security screening and empower developers to code more securely.
Integrating Development and Security
As mentioned above, leaning into DevSecOps means breaking down the walls between security teams and development teams. Application security is tied into the development team in critical ways.
Here are a few ways that the product team practices security:
- The dev team mitigates identified vulnerabilities
- The dev team architects apps securely
- The dev team chooses which third party libraries to use
While these are all integration points for security on the development level, security is rarely the main focus of development or the people in development roles. Developers aren’t paid to mitigate vulnerabilities, their focus is on writing code – that is, shipping new features and addressing defects. Similar things can be said for architects, DevOps engineers, and product owners. That is why the security team needs to be part of the development process and work closely with these players.
Increasing communication and collaboration between DevSecOps or security engineers with the development team can help ensure that DevOps contributes to the security of your development process rather than detract from it.
Using DevOps Technology to Enhance Security
Above, we discussed how DevOps practices without proper monitoring can lead to more security problems than they’re worth. However, we can still use DevOps techniques to improve security.
Automation tools can help automate elements of security screening. Principles similar to unit tests can be applied to security screening, making sure that no code is deployed without automatically being checked for vulnerabilities and receiving the all-clear. This means one of the toughest parts of security – ensuring every system is accounted for and scanned – becomes much easier when paired with the DevOps approach.
Static Application Security Testing (SAST, or Static Scanners) can run within a traditional CI/CD pipeline to ensure all code is scanned. This approach applies to tools like SAST, container scanning, and software composition analysis for the software supply chain (SCA). Since DevOps practices typically enable multiple environments such as QA and staging, Dynamic Scanners (DAST) and even manual assessments always have a new deployment to test. Since these deployments are maintained as code, there’s assurance that the environment won’t have different vulnerabilities when it goes live into production.
Organizations have seen the need for securing their software supply chain with tools like SonarQube and GitHub’s Dependabot, and even more since the Log4Shell vulnerability. It’s imperative these checks are done in tandem with DevOps. With Software Composition Analysis (SCA) and open-source scanning built into the DevOps pipeline, developers get notified when there’s a package that has a weakness in it as soon as the code is committed. Then if there’s an issue, the developer can remedy it quickly. If these checks are done later on, it becomes more difficult to alter the third-party libraries which increases technical debt on the whole project. With a DevOps approach, technical debt is avoided, and supply-chain vulnerabilities are remediated quicker.
Conclusion
At Calavista, our thought leadership on best practices in software development have been a point of pride for over twenty years. Founded on DevOps tenets like Continuous Integration and Continuous Delivery, we have never stopped pushing the field of development. We were doing this before the term DevOps even existed, and we have been ensuring stable and secure development within those pipelines before anyone ever uttered the phrase “DevSecOps.”
The goal of DevOps is to keep developers developing as efficiently as possible, but with the rise of advanced cybersecurity threats, more attention needs to be paid to security within the development process. We don’t want each of our developers to become security experts, but we do want to deliver secured code. That’s why we are embracing the concept of DevSecOps, bringing security into the conversation, encouraging close collaboration between security, developers, and operations managers.
