DevOps Security: What Is DevSecOps?

What Is DevOps?

Firstly, DevOps is an acronym, short for development (Dev) and operations (Ops). It is mainly the union of people, processes and technology to continually provide value to the business and their customers. It can also be its own department of engineers who posses hybrid skills that developers, network administrators and operations have. 

Their main focus is to take the former siloed departments like development, IT operations, and quality engineering to collaborate and coordinate them into one. Their outcome should lead to a faster time to market, readily available systems, and more reliable products.

By adopting to DevOps practices and implementing their tools, teams gain the ability to better respond to customer needs, enable continuous feature integration, and increase confidence in the applications they produce.

Examples of DevOps practices would be:

• Continuous development
• Continuous testing
• Continuous integration (CI) 
• Continuous delivery
• Continuous deployment (CD)
• Continuous monitoring
• Infrastructure as code

However, the problem in the past was that these practices allowed us to develop too fast, not run vulnerability scans, and not allow us to be security compliant. This allowed systems, resources, and code to have open vulnerabilities. 

What Is a Vulnerability?

In the context of DevOps, a vulnerability could be something akin to our credentials being uploaded go to a public repository, malware being embedded in a software dependency, or having a misconfigured resource that allows to access our resources.

Believe it or not, the last consultancy I worked at, someone uploaded their credentials to Github and within 3 seconds it was scrapped by a scanner bot. The following week, the company got a $20,000 bill for AWS because a hacker had spun up resources to do crypto mining. A very expensive mistake indeed!

Did you delete your credentials before publishing to Github?

With these gaps, security was no longer decided to be implemented right at the end of the development cycle. This is where DevOps security comes into play. It is also now known as another buzzword called DevSecOps. With its implementation, security starts right at the beginning and continues until the end of production. 

Why We Need DevSecOps

Everyday hackers are looking for ways in to deploy malware and other exploits on your system. 

For example, imagine if they were able to insert malware into a software dependency or application during the build process. The malware would not be found until the application had been distributed to thousands of its customers. The damage to both the customer software and company's reputation would be huge, especially in a world where bad news goes viral within minutes.

This is why making security a top consideration alongside development and operations is a must for any organization involved in developing applications and software distribution. 

When you integrate or involve DevSecOps, every developer, operations and network administrator will have security at the front of their minds when developing and deploying applications.

Benefits of DevOps Security

The first thing that comes to mind for DevSecOps is enhanced secure automation throughout the software delivery pipeline. This helps eliminate mistakes and reduces downtime and attacks.

The objective is to make security one of the core components of the software development workflow. Otherwise it would be more expensive to fix any bugs you find later on in the development cycle. 

Some of the benefits of DevSecOps security are as follows:

• Automation. Your focus as a DevSecOps engineer is speedy, secure delivery. The delivery pipeline wont be slowed down by inserting security to the mix. By embedding automated security and tests early in the development cycle, you can ensure faster and more secure delivery times of your applications.
• Threat modeling. Threat modeling can help you discover vulnerabilities in your resources and fill any gaps in your security controls. Software like Forcepoint's Dynamic Data Protection is a prime example of this in practice. This can be added to your pipeline to help you identify even the riskiest events that occur across your infrastructure. This can also help build the necessary protection into your DevSecOps workflows.
• Efficiency. If you are only adding security to your workflows, you can just use tools that can scan code as you write it. You will find security issues much earlier.

DevSecOps — AWS Security

One the of great things about a cloud provider like AWS is that they provide security tools that can easily be integrated into your development process, software deployment, and infrastructure.

In the below diagram, AWS lays out what security measures they are responsible for and what security measures customers are responsible for as well. 

AWS doesn't leave us unequipped to secure ourselves. For example, they provide the necessary tools to achieve optimum security in every domain that the customer has control over. This brief list covers the protection AWS can offer—

Network Security

• Network firewalls - give the ability to create VPCs (Virtual Private Cloud) with private networks.
• Connectivity options which enable private, or dedicated, connections from an office or on-premises environment.
• DDoS mitigation technologies that can be applied to layer 3 or 4 and layer 7.
• Automatic encryption of all traffic coming through via AWS global and regional networks.

Configuration Management

• Deployment tools to manage the creation and decommissioning of AWS resources.
• Tools to allow tracking and managing of inventory and configuration management.
• Preconfigured template and management tools to create a standard in resources that can be used across the business like hardened virtual machines.

The list goes on. If you'd like to dive more into it, I would recommend logging on to the AWS console and search "security." You would get a whole list of services and documentation to how you could use security in your cloud deployment.

If you would like to check out AWS security best practices, I would recommend reading their white paper: Introduction to AWS Security 2020.

Please note that other cloud providers like Azure or GCP will also offer similar tools to help place security at the heart of your operations. They all have similar functions.

Conclusion

DevOps security has now evolved into DevSecOps which as you can see aims to unite development, security and operations. 

It's not enough to now have speedy delivery to market; DevOps engineers need to include security early on to catch any malware or vulnerabilities that may show after distribution.

All it takes is a password to be exposed on Github and the hacker will have the keys to your environment. The best way to implement security is by thinking about how secure your application, processes, and environment are.