How to integrate security into DevOps ?
DevOps is increasingly present in the workplace. This methodology, constituting a key competitive lever for businesses, aims to optimise the time to market of products/services by speeding up application production. It is founded on the sharing of practices and tools by the DEVelopment and OPerations teams.
With 96% of enterprise vulnerabilities found in applications, there are major security stakes at play. Its adoption is thus the perfect opportunity to establish security as a pillar of this new company culture.
Implementing DevOps successfully
As businesses continue to open themselves to the outside world, the importance of mitigating the many risks linked to application development becomes ever greater. Strategies for the DevOps transition are emerging, and it seems paramount to correctly prepare for its adoption, to not rush into things and to think security from the start.
On the ground, DevOps is often a way for developers to have greater influence on the production environment and have a direct positive impact on a company’s agility. This easy solution brings heightened risks for business security, and so incorporating security into DevOps is essential if its adoption is to be a success.
DevOps was born out of the necessity to cut the time between idea and delivery of the product or service, yet these concepts are generally misunderstood. If businesses want an efficient transition, they cannot remain immobile. They must take advantage of the technical and organisational changes to incorporate security very early on in application development.
Furthermore, people play a fundamental role in the success of such an initiative. There must be a cultural, even philosophical, shift in practices, which should be supported by training, awareness campaigns and the appropriate communication. To prosper, security must be part of this shift.
Identifying new security concerns through a proper understanding of DevOps
One of the founding principles behind DevOps is that the product being developed is constantly modified. So, it seems only natural that the architecture/database design and requirements gathering phase be briefer than in a ‘waterfall’ cycle. Risk analysis as it is known today thus seems unsuitable and too heavy. Incidentally, France’s National Cybersecurity Agency (ANSSI) has recently begun efforts to adapt risk management to the Agile environment.
The development stage takes agile development methods and introduces a continuous integration platform. When it comes to security, and in order to not impede the production cycle, it is important to automate security tests as much as possible. In addition, a static code analysis tool should be integrated into the developer’s’ IDE, so they can remedy vulnerabilities in real time and only generate the artifact if the security tests raise no objections.
Continuous deployment allows for entirely automated delivery mechanisms and controls risks surrounding new releases. Existing tools are a plenty and make continuous validation difficult. Security can be integrated via the on-the-fly construction of an environment in which dynamic application security testing (DAST) and automated attacks can be conducted.
DevOps promotes the use of tools that create Virtual Machines — needed for flexible applications — through programming. This facilitates a security engineer’s job by eliminating differences between environments; and, once hardening is complete, it is this environment that will be distributed (Infrastructure as Code). With a suitable management strategy, patch management is also made easier should it follow the application release cycle.
Lastly, in a DevOps environment, constant feedback and effective continuous monitoring are necessary to react as quickly as possible and adopt a continuous improvement approach. Excluding traditional security tracking though a SIEM, such monitoring must include checks for compliance and vulnerabilities and constantly track feedback. Tools for the automatic detection of changes should be used to ensure the platform’s stability.
Five key points for successfully combining security with DevOps
To successfully adopt DevOps in a secure fashion within your business, the following 5 operational principles must be followed:
- Break down silos and remove barriers between production, operations and security, so that all teams cooperate together. This means involving security personnel from the project’s outset.
- Establish smooth and regular communication throughout the cycle. Setting up dashboards, visible to all stakeholders, of ongoing projects and their progress facilitates overall management.
- Incorporate a code auditing tool in the continuous integration platform, which blocks executable code in the event of significant risk.
- Introduce a continuous deployment platform to standardise the software production chain and avoid non-standard customisations and elements. An example of such standardisation is the use of identical environments for tests and production.
- Apply a continuous improvement paradigm: at each iteration, feedback from users allows for alignment with their expectations. Take advantage of these iterations to refine the patch management process and branching strategy.
As we have seen, if we want to secure DevOps, tools must be adapted and standardised. And while these tools may exist, they are underused.
DevSecOps might not yet be a buzzword, but it won’t be long coming. And rather than considering it as an updated version of DevOps, it should be discussed in terms of the security requirements surrounding DevOps. DevSecOps involves 4 security techniques to guarantee a secure DevOps methodology:
- Risk control and constraint management
- Security design and automated tests (sometimes SECDEV)
- Secure deployment (sometimes SECOPS)
- Continuous security monitoring