DevOps Security

DevOps security is a philosophy that combines three words: development, operations, and security. The goal is to remove any barriers that may exist between software development and IT operations. 

As code is written and applications are developed, the value of constant communication and collaboration between teams cannot be emphasized enough. Beautifully written code may work on the developer's machine, but the application also needs to scale and function properly for a company's employees and customers. 

DevOps is generally driven by a continuous deployment strategy. Development teams can add features and fix bugs so that software can be released continuously in faster cycles without disrupting the user's experience—or more broadly, business operations.

Security can become a large area of concern because developers often lean on programs, frameworks, libraries, and software development kits (SDKs) developed by outside vendors. Third-party code may contain a security vulnerability that may or may not have been addressed prior to a developer using it.

When developers and IT teams work in close contact, software is released with fewer errors. Further, each group can consider the needs of the other when planning new features and rollouts. Indeed, DevOps has transformed the culture of software development and IT. 

DevOps removes silos and injects a new level of efficiency to the software development process, but it is difficult to implement and can cause friction upon its introduction. For instance, since engineering and IT have traditionally been treated as two separate departments working relatively independently, the sudden integration of the two can cause cultural disturbances. What may be considered a realistic turnaround time for an IT administrator may be considered the opposite for a developer.

Often, it is the discovery of an incident, such as a security breach, that exposes the failure of DevOps. An example is the 2016 breach at Uber. Attackers hacked into Uber's private repository on GitHub to find login credentials that allowed them to access Uber's Amazon Web Services (AWS) environment. Within AWS, the attackers were able to find the sensitive rider and driver data they were seeking.

Developers traditionally are not tasked with security. However, with a DevOps security structure in place, the Uber developers would have been advised that publishing usernames and passwords to a GitHub repository, even one that is private, was not a wise decision.

A secure DevOps environment leverages various tools, processes, and policies to enable rapid and secure releases. In the Uber example, a final security scan should have been executed to ensure that no credentials were left embedded in the code. With DevOps, the strongest security measures possible are introduced throughout the application development cycle.

When developers must consider security when writing code, frustrations and delays may result. On the other hand, IT admins may not be used to working closely with developers because often, the application is already built for them with few modifications needed. Each side needs time to understand how each other works.

As software is built in the cloud, vulnerabilities can increase exponentially. IT may be accustomed to traditional security point products like firewalls, which cannot provide complete protection in the cloud. As such, the tools and applications used in securing DevOps rely on cloud-based resources and may present themselves as vulnerabilities.

Unfortunately, many companies still rely on traditional, legacy infrastructure that, when combined with cloud-based services, creates a hybrid environment. These hybrid environments are often complicated and may not meet DevOps process standards.

Another challenge in establishing DevOps is talent. DevOps engineers are in high demand. The average annual salary for a senior DevOps engineer is more than $134,000 per year, according to ZipRecruiter. When an organization fails to acquire talent, it may have to train existing staff, which may cost less but can take time, impacting software release schedules and daily operations.

The model calls for communication and collaboration between teams, and when the teams are not aligned, failure will occur. The biggest failure, of course, is vulnerable code, but even the slightest misconfiguration can become an attack vector. When the security of the codebase becomes a priority, everyone on both the DevOps and IT teams is aligned and accountable for delivering the most secure code possible.

DevOps security may be a new mandate for the engineering and IT teams, but it is an extension of and should still conform to the organization's overall enterprise security, governance, and compliance policies. This ensures that the code that is developed and deployed meets the organization's security requirements.

As the codebase grows, it becomes increasingly difficult to analyze every line of code for potential vulnerabilities. Automated security tools help teams configure and manage any potential risks continuously. In this way, testing for security can meet the speed requirements normally needed in DevOps environments without compromising quality. Automation also minimizes the risk of human error.

Visibility into all of the resources used to build and ship software is critical. DevOps teams increasingly lean on new, freely available, open-source tools to manage hundreds of security groups and server instances. IT security teams must be kept aware of these tools stored across the cloud where cloud security can be an issue. A DevOps security approach must bring visibility of all devices, tools, accounts, instances, containers, and credentials to ensure that all are compliant with the organization's policies.

All vulnerabilities must be uncovered and addressed before code is deployed. DevOps security can run tests on the production version to identify whether any issues exist. If they do, the teams can immediately focus on patches or security fixes.

One configuration mistake can easily be injected into a large codebase. With the speed of DevOps environments, it is imperative that teams quickly identify and remediate any errors in configuration. In fact, continuous configuration should be a practice across all codebases.

DevOps teams use a range of tools to automate software provisioning, configuration management, and application deployment. However, these all require secrets management, because even in production environments, developers store privileged account credentials, secure shell (SSH) keys, application programming interface (API) tokens, and the like. Clearly, this is an attack vector, offering cyber criminals a way to steal an organization's data and disrupt the entire IT infrastructure. Removing or cloaking these embedded credentials from code is critical.

Further on the issue of access to privileged account credentials, even if the credentials are removed from the software provisioning and deployment tool, they are usually still shared among several members of the DevOps team. Privileged access management can be a threat to the organization and needs to be managed. To address this, the team must implement the principle of least privilege, which states that an employee should be given only the access needed to complete their jobs. This reduces the chance of attackers from inside as well as outside the organization from gaining access to the code.

Another way to improve DevOps system security is to segment the network, a classic defensive strategy to prevent an attacker from doing damage to an entire network. When different servers are separated into different groups, enhanced security results. Teams can monitor performance to determine if there are any issues.