What is DevOps Security?
DevOps security is a philosophy that combines three words: development, operations, and security. The goal is to remove any barriers that may exist between software development and IT operations.
As code is written and applications are developed, the value of constant communication and collaboration between teams cannot be emphasized enough. Beautifully written code may work on the developer's machine, but the application also needs to scale and function properly for a company's employees and customers.
DevOps is generally driven by a continuous deployment strategy. Development teams can add features and fix bugs so that software can be released continuously in faster cycles without disrupting the user's experience—or more broadly, business operations.
Security can become a large area of concern because developers often lean on programs, frameworks, libraries, and software development kits (SDKs) developed by outside vendors. Third-party code may contain a security vulnerability that may or may not have been addressed prior to a developer using it.
When developers and IT teams work in close contact, software is released with fewer errors. Further, each group can consider the needs of the other when planning new features and rollouts. Indeed, DevOps has transformed the culture of software development and IT.
What Are Some DevOps Security Challenges?
DevOps removes silos and injects a new level of efficiency to the software development process, but it is difficult to implement and can cause friction upon its introduction. For instance, since engineering and IT have traditionally been treated as two separate departments working relatively independently, the sudden integration of the two can cause cultural disturbances. What may be considered a realistic turnaround time for an IT administrator may be considered the opposite for a developer.
Often, it is the discovery of an incident, such as a security breach, that exposes the failure of DevOps. An example is the 2016 breach at Uber. Attackers hacked into Uber's private repository on GitHub to find login credentials that allowed them to access Uber's Amazon Web Services (AWS) environment. Within AWS, the attackers were able to find the sensitive rider and driver data they were seeking.
Developers traditionally are not tasked with security. However, with a DevOps security structure in place, the Uber developers would have been advised that publishing usernames and passwords to a GitHub repository, even one that is private, was not a wise decision.
A secure DevOps environment leverages various tools, processes, and policies to enable rapid and secure releases. In the Uber example, a final security scan should have been executed to ensure that no credentials were left embedded in the code. With DevOps, the strongest security measures possible are introduced throughout the application development cycle.
When developers must consider security when writing code, frustrations and delays may result. On the other hand, IT admins may not be used to working closely with developers because often, the application is already built for them with few modifications needed. Each side needs time to understand how each other works.
Security Vulnerabilities in the Cloud
As software is built in the cloud, vulnerabilities can increase exponentially. IT may be accustomed to traditional security point products like firewalls, which cannot provide complete protection in the cloud. As such, the tools and applications used in securing DevOps rely on cloud-based resources and may present themselves as vulnerabilities.
Unfortunately, many companies still rely on traditional, legacy infrastructure that, when combined with cloud-based services, creates a hybrid environment. These hybrid environments are often complicated and may not meet DevOps process standards.
Another challenge in establishing DevOps is talent. DevOps engineers are in high demand. The average annual salary for a senior DevOps engineer is more than $134,000 per year, according to ZipRecruiter. When an organization fails to acquire talent, it may have to train existing staff, which may cost less but can take time, impacting software release schedules and daily operations.
What is DevSecOps?
DevSecOps is a methodology that incorporates security into the software development process. The fundamental concept is that security is a responsibility that must be shared by both software developers and IT administrators, often integrating automated security tasks into DevOps processes.
Traditionally, application security was not a priority for developers. Security considerations usually came after an application was developed. Developers figured that antivirus programs and firewalls— built by others and installed by customers—would adequately do the job to secure an IT environment.
However, a rise in the number and sophistication of cyber crime exposed vulnerabilities in individual products and applications. Financial and reputation costs to companies skyrocketed. This prompted engineering and IT teams to unite to build security measures into applications early on in the development process and then continuously as new features and new releases were rolled out.
DevOps vs. DevSecOps
There are similarities between DevOps and DevSecOps.
Communications and Collaboration
Both recognize that teamwork is essential not only for production speed but also for production quality. Both make use of the agile framework to enable a dynamic and continuous work process that encourages open communication and collaboration at all stages of development.
Both embrace automation, using software to complete tasks that will otherwise require time-consuming, manual effort. Automation helps DevOps and DevSecOps achieve their objectives in a shorter amount of time.
While there are various stages in the development cycle, both DevOps and DevSecOps embrace continuous processes as a way to ensure that objectives are met. Because there are no silos, there are also no bottlenecks. Together, they continuously:
- Deliver new features or software updates, or entirely new applications
- Test and refactor the codebase
- Monitor and analyze the quality of the codebase and the strength of the security perimeter
- Merge the updated codebase with a secure repository
DevOps Security Best Practices
Embrace a DevSecOps Model
The model calls for communication and collaboration between teams, and when the teams are not aligned, failure will occur. The biggest failure, of course, is vulnerable code, but even the slightest misconfiguration can become an attack vector. When the security of the codebase becomes a priority, everyone on both the DevOps and IT teams is aligned and accountable for delivering the most secure code possible.
Policy and Governance
DevOps security may be a new mandate for the engineering and IT teams, but it is an extension of and should still conform to the organization's overall enterprise security, governance, and compliance policies. This ensures that the code that is developed and deployed meets the organization's security requirements.
Automate Your DevOps Security Processes and Tools
As the codebase grows, it becomes increasingly difficult to analyze every line of code for potential vulnerabilities. Automated security tools help teams configure and manage any potential risks continuously. In this way, testing for security can meet the speed requirements normally needed in DevOps environments without compromising quality. Automation also minimizes the risk of human error.
Visibility into all of the resources used to build and ship software is critical. DevOps teams increasingly lean on new, freely available, open-source tools to manage hundreds of security groups and server instances. IT security teams must be kept aware of these tools stored across the cloud where cloud security can be an issue. A DevOps security approach must bring visibility of all devices, tools, accounts, instances, containers, and credentials to ensure that all are compliant with the organization's policies.
All vulnerabilities must be uncovered and addressed before code is deployed. DevOps security can run tests on the production version to identify whether any issues exist. If they do, the teams can immediately focus on patches or security fixes.
One configuration mistake can easily be injected into a large codebase. With the speed of DevOps environments, it is imperative that teams quickly identify and remediate any errors in configuration. In fact, continuous configuration should be a practice across all codebases.
DevOps Secrets Management
DevOps teams use a range of tools to automate software provisioning, configuration management, and application deployment. However, these all require secrets management, because even in production environments, developers store privileged account credentials, secure shell (SSH) keys, application programming interface (API) tokens, and the like. Clearly, this is an attack vector, offering cyber criminals a way to steal an organization's data and disrupt the entire IT infrastructure. Removing or cloaking these embedded credentials from code is critical.
Privileged Access Management (PAM)
Further on the issue of access to privileged account credentials, even if the credentials are removed from the software provisioning and deployment tool, they are usually still shared among several members of the DevOps team. This privileged access can be a threat to the organization and needs to be managed. To address this, the team must implement the principle of least privilege, which states that an employee should be given only the access needed to complete their jobs. This reduces the chance of attackers from inside as well as outside the organization from gaining access to the code.
Another way to improve DevOps system security is to segment the network, a classic defensive strategy to prevent an attacker from doing damage to an entire network. When different servers are separated into different groups, enhanced security results. Teams can monitor performance to determine if there are any issues.
How Fortinet Can Help
An organization's attack surface keeps expanding, driven by the proliferation, complexity, and fragmentation of the organization's endpoints and applications. This brings more opportunities for malicious actors to launch sophisticated attacks. Greater visibility is needed, along with automation to stop these attacks before they occur.
FortiAnalyzer, which is part of the Fortinet Security Fabric, provides security analytics and automation for better detection and response against cyber risks, both known and zero day. FortiAnalyzer can be integrated into an organization's DevSecOps processes to seamlessly build infrastructure. It can monitor and manage various point security products in use across the enterprise. Network and security operations teams can use FortiAnalyzer to obtain a clear and consistent view of cybersecurity across the organization.
Further, FortiAnalyzer delivers big data network analytics and is designed for large-scale data center and high-bandwidth deployments. Its ability to handle complexity protects organizations against the most advanced threats.