As companies embrace the DevOps phenomenon in hopes of producing applications at a faster rate, they are also introducing insecure software into the digital ecosystem.
DevOps, itself, is a software lifecycle movement which blends developmental and operational tasks together to accelerate application-building in a quick, clean, and repetitive manner for faster time-to-market.
In DevOps environments, up to 500 software changes can be deployed each day, much faster than applications produced using more traditional methodologies such as Waterfall. But with this speed, companies are challenged to integrate security into their DevOps pipeline and produce quality software.
Traditional security tasks, such as third-party penetration testing, maintenance patching, and quarterly software upgrades, do not fit well within the DevOps process due to their slower pace. As a result, vulnerable applications are deployed which, when exploited, lead to regulatory fees, poor publicity, and reputation damage.
Many organizations wish to embed security processes and controls into the DevOps flow but must do so with little-to-no intrusion. There are social and technical changes required to achieve this goal.
The first requirement for baking security into the DevOps pipeline is corporate culture change. This cultural shift goes beyond the writing of security policies thrust upon departments like draconian edits.
Top executive management must understand and agree to the value security adds to the software they deliver to their customers. The agreement and understanding are demonstrated in actions and power given to development teams. For example, dev teams must be provided with project tasks and time allocation for security-related tasks.
Instead of viewing security errors differently, vulnerability fixes must be handled with the same rigor and treatment as any other functionality bug.
The second requirement includes an internal application security team integral to the construction of the software. This team composition can be security professionals alongside programmers who have shown an interest in security. Together, they ensure security issues are addressed as the software progresses through the pipeline.
The third requirement is the identification and automation of specific tools and techniques.
These products are used within the DevOps pipeline to improve the security posture of software changes. The internal application security team performs the training, maintenance, and data analysis of such tools. These tools include automated static and dynamic scanning of the code and application, auditing of configurations files (e.g., docker files), and infrastructure hardening checks.
Findings from such tools are cycled into the backlog for fixes and subsequent builds.
Collectively, all these requirements can help organizations find the answer to how to embed security within their DevOps workflows.
In conclusion, to learn more about aspects and details pertaining to these requirements, attend BSides Springfield 2018 in Springfield, MO. Sunny Wear’s talk, entitled “How to DevOps (while Sneaking in Security),” will also include specifics in tools and tactics for adding security to any DevOps pipeline.
Details about this talk and the conference can be found at the following link: http://www.securitybsides.com/w/page/121872231/BSidesSpfd%202018\
About the Author: Sunny Wear, CISSP, GWAPT, GSSP-JAVA, GSSP-.NET, CSSLP, CEH is an Information Security Architect, Web App Penetration Tester and Developer. Her breadth of experience includes network, data, application and security architecture as well as programming across multiple languages and platforms. In her 20-plus years of professional experience, she has participated in the design and creation of many enterprise applications as well as the security testing aspects of platforms and services. She is the author of several security-related books including her most recent entitled “Secure Coding Field Manual: A Programmer’s Guide to OWASP Top 10 and CWE/SANS Top 25,” which assists programmers in more easily finding mitigations to commonly-identified vulnerabilities within applications. She conducts security talks and classes at conferences like BSides Tampa, AtlSecCon, and Hackfest, CA.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.