The Mindful DevSecOps Practice
By Cliff Ellement
DevOps has come a long way. The initial time when DevOps was just sprouting and emerging as an alternative to an intricate practice of running software project, it was not easy to combine and align Development and Operations, the two vital units that were innately dependent on each other but existed as separate identities.
Still evolving, DevOps is faced with yet another challenge today. In a world of heightened cyber security concerns due to the rising number of cyber breaches, the need to introduce ‘Security’ to DevOps, making it DevSecOps, is required more than ever.
At an advanced level, DevSecOps is a methodology in which development, security, and operations teams collaborate throughout the lifecycle of a project. DevSecOps is often implemented by adding a certain level of security to the existing DevOps teams and agile processes. However, in order to completely address the scope and repeatability of Security in a DevOps process, it is best to consider a cultural change in the organization because both the Security and DevOps teams are required to work together.
While roles and processes are important, we must ensure that both DevOps teams have proper training and have objectives that are aligned in order to develop a sustainable and ever-improving DevSecOps processes. So, the teams work together in harmony with each other.
One of the ideas behind this collaboration is to include security earlier in the development process, which is known as shifting left. When security is shifted left, vulnerabilities and bugs in applications are uncovered and addressed sooner. This shift leads to more secure products at release time and fewer patches in production. Breaches can be devastating, requiring significant resources to repair the damage, pay compliance fines, and restore brand trust. To avoid these consequences, many organizations are adopting DevSecOps.
The challenge is to integrate the DevOps process with the security practices and policies in such a way that the flexibility and TTM needs of DevOps teams are met while satisfying the requirements of the company’s security team, if there is one. More on that later.
To be clear, DevOps must become a part of every security discussion and security will become a part of every DevOps discussion. The best way to align groups is for each side to understand the needs, perspective, and expected outcomes of the other group. With this awareness, it’s much easier to understand how to best cooperate and perhaps compromise in order to achieve a collective goal. So, let’s start there.
How to align diverse objectives?
The key DevOps and Security team objectives will vary depending on the organization and product offer. However, there is a common thread across all organizations. Although some of the objectives do align with one another, some may be at odds with each other and will create friction if not dealt with properly.
|Key DevOps Objectives||Key Security Objectives|
|Time to Market / Cadence||Reduce exposure to Security Breaches|
|Flexibility – feature offering & rapid & Frequent Software updates.||Protect Corporate Data Assets and Privacy|
|Predictable Release Frequency||Reduce impact of Security Breaches & Ensure Traceability|
|Time to Recovery||Alignment with Security & Data Privacy Regulations|
|Aim to Lower Service Failure Rates||Risk Management – Reporting to Corporate level|
So, how can DevOps and Security objectives be aligned and optimized for a given organization to maximize throughput, Quality, while minimizing security vulnerability exposures and Corporate risk? Well, we first need to start with the following items.
Training: Just as with corporate level security, every person in a company has a role to play with the security domain even if it’s related to a better understanding of email phishing attacks. However, most employees should understand what breaches look like, what to do if a breach is discovered, and whom to contact within their organization. The security teams will require additional predefined policies and processes to handle the myriad of security detections and breach scenarios as well.
Security by Design: This approach requires a strong alignment between the Development and Security teams. First, to ensure that software applications and subsequent source code are secure and clean from the initial design stage to testing, quality assurance and code release development teams are the frontline of defense from a security perspective. This will require that specific DevOps primes are trained on security and Security teams are involved in early stages of the process in case their assessment is required. This collaborative spirit will also help to element inefficiencies associated with a “passing the buck”
However, since the primary responsibility of security for the corporation utimately lies with the Security organization, there must be a method to verify, audit and assess security vulnerabilities and risks early and throughout the development process. The ability of the Security team to be intimately involved as well as embedding security controls and mechanisms within the agile development process is essential
Test early as possible: There have been a vast number of studies that have proven it’s less costly to find issues earlier in the DevOps process rather then later. Thus, embedding security testing into the DevOps process to avoid the long lead times requirements for traditional hand-off at the end of the process. Just as DevOps is a Continuous Integration Development (CI/CD) process, so too there is a Continuous Security process such as with Static & Dynamic Application Security Testing (SAST/DAST).
Automate everything: With the ever-increasing pace and cloud infrastructural (cloud-native) scope of the DevOps environment, there is no way to review and test for security vulnerability by hand. There is just too many attack surfaces, vulnerabilities and news ones are popping up every day. Continuous Delivery pipelines hinge on automated testing. Each Software version no matter how small, goes through the same
testing before getting released to a pre-production environment and ultimately to production. This is a good thing— and security can take advantage of this playing field by adding in static and dynamic security tooling (SAST and DAST respectively) to the pipeline.
Integrate Verification Process: OK, this is where things get fun. How to best integrate the DevOps process and meet security requirements in an environment where the Security team is responsible for minimizing Cyber Risks and the Development Team must release high quality software on-time. In order to achieve a common goal across teams, one can consider the following:
- Integrate the specialization between the DevOps and Security teams to create a shared “security” responsibility.
- Ensure that the Chief Information Security Offices (CISO) team becomes part of the DevOps team at least owning a piece of the delivery process. Thus, taking the basic static and dynamic application security testing (SAST and DAST) and moving towards a more holistic view and adherence to corporate and regulatory policies.
- Develop Open communications across all team members. Tools are already being adopted within organizations to help improve awareness and thus productivity.
As teams gradually come together, development team armed with a deeper understanding of cybersecurity approaches will become more self-sufficient. They will identify their own security challenges and proactively adopt secure coding practices as well as course-correct for the benefit of secure product delivery.
Concurrently, Security teams will often develop a greater understanding of development pressures and therefore drive more backend automation of security functions. This blending of knowledge, mutual understanding will develop into a cohesive DevSecOps culture aligned with corporate goals and risk profile.
Future posts will dig deeper into each of the above tenants as well as to address the cultural differences between the DevOps and Security “tribes”. If you are in the DevOps or Security space, I would like to hear about your own experiences and concerns