Secure DevOps PracticesThe formalization of the term DevOps came at the 2009 Velocity Conference where John Allspaw and Paul Hammond from Flickr presented how they do 10 deploys per day. The concepts shown by Allspaw and Hammond are now standard components of the DevOps movement. Their formalization, not to mention the adoption of Agile and DevOps practices, has led to change in the way security verification is generally performed. The notion of SecDevOps first appeared in a 2012 blog post by Neil McDonald of Gartner. He advocated that DevOps efforts should not be curtailed in favor of security while acknowledging that security was needed. His answer was that security should be integrated into the DevOps process. McDonald called this DevOpsSec but most people now refer to it as SecDevOps or DevSecOps. Secure DevOps is at the intersection of Dev, Ops & Sec. Folding security in the DevOps ethos of incrementally improving software in smaller, faster builds helps in fixing flaws earlier in the development process. Secure DevOps addresses the following key areas –
- Making reliable software
- Maintain system confidentiality & integrity
- Governance & compliance
- Incident management
DevOps Security ChallengesDevOps practices facilitate condensed development cycles and product release timeframes while keeping product features and capabilities responsive to customer feedback and changing business objectives. They also have a considerable impact on security considerations.
Catching up to the fast-paced DevOps cycleTraditionally, we have seen that security tests took place towards the end of the release cycle after all implementation and testing cycles had completed. There are some infosec champions who audit the release for security vulnerabilities and publish a whole lot of violations. Often, fixing these vulnerabilities can lead to design changes, also. Many times, this leads to a delay in the release cycle, which were traditionally 4-6 months. So, this strategy could still have worked, but now with the increased adoption of Agile practices, the release cycle has shrunk to sprint boundaries of 2-3 weeks. So, performing security checks after every few months increases the risk of attackers exploiting weaknesses in the production. If security checks are not sufficiently automated, the DevOps cycle will either get slow or security hygiene will suffer. This phase lag may lead to insecure code that opens up vulnerabilities and weaknesses which attackers can then exploit.
Effective Communication between Security and Development teamSecurity teams and developers try to chase seemingly conflicting goals. Developers want to push software out of the pipeline as fast as possible. On the other hand, security teams want developers to fix all security vulnerabilities before pushing out the software. Both the teams should work together to avoid conflicts and ensure that well-tested software is released with a quick turnaround. It has often been seen that the security team does not effectively communicate and track security requirements with the development team. This can lead to a slowdown of the process as the developers don’t know how to handle them or are not familiar with security principles. Security requirements should be entered in the product backlog just like regular feature requirements. This will help in prioritizing on a sprint basis.
Containers and Cloud EnvironmentA typical DevOps environment relies on cloud infrastructure and deployments, thereby introducing many cloud security considerations. A lot of new, open-source and yet immature tools are used. In the fast-paced DevOps pipeline, a simple misconfiguration error or security malpractice such as sharing of credentials can create unpleasant scenarios. At the same time, a typical DevOps environment may leverage multiple tools (Chef, Puppet, Ansible, Salt, etc.) that all require secrets management. Containers come with their own risks. Use of container technologies like Docker or Kubernetes brings exceptional productivity to the teams. However, such utilities can create security headaches, also. Without proper checks and balances, for instance, containers can pose security risks, as they are not adequately scanned for vulnerabilities. There is no doubt that security should be embedded in the DevOps lifecycle, but it should be done in a way to not hamper speed and agility. There should be a proper collaboration between the DevOps team and the security team. To summarize, here are the top tactics to be successful at secure DevOps:
- Fail Fast through automation – Fail tests as early in the DevOps pipeline as possible.
- Integrate application security into the development tools – Integrate the tools within your IDE.
- Fix flaws as you write code – Developers should leverage tools to find and fix coding errors while they write code.
- Adapt to new development practices and technologies like Containerization, Microservices and Design patterns like feature toggles.
- Don’t stop for false alarms
- Provide operational visibility to measure and assess teams for compliance and risk.
About the Author: Gurpreet Sachdeva is a technologist with more than 20 years of experience working on some of the most challenging technologies related to Cloud Computing, DevOps and Security. Being a keen Java enthusiast, he has worked in Java EE Technology with almost every major application platform ranging from Tomcat to JBoss, Oracle Application Server, and WebLogic. He has spoken at various conferences like Oracle – Java One, Great India Developer Summit, and Open Source India. He is a co-founder of Delhi – NCR – Java User Group and blogs at www.thistechnologylife.com. He has also authored a book, “Applied ELK Stack.” Recently, he has come out with a video course titled Practical DevOps Security. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.