Automated DevSecOps is how IT execs are integrating security into their DevOps pipelines.
Join the DZone community and get the full member experience.Join For Free
To understand the current and future state of DevOps, we spoke to 40 IT executives from 37 organizations. We asked them, "How are you addressing security in your DevOps pipeline?" Here’s what they said:
- DevSecOps security baked in from the beginning. Security is a first class citizen with the number of breaches. Without security can’t survive. Have automation built in with security checkpoints. Skills are an issue, need to automate so as not to overwhelm developers. Address code security up front.
- As cyber threats continue to grow unabated and infrastructure becomes ever more complex in the cloud, it’s more critical than ever that DevOps embrace security from the outset. SecOps aims to ease the pain of integrating security into development and operations by automating as many security tasks as possible, fostering communication between teams, and enabling development that remains agile while being secure. Here are some specific best practices to undertake in six areas of infrastructure: 1) Create a Security Liaison -- At Threat Stack, we have a senior-level engineer that acts as a security liaison between the security and operations team. Whenever there is a dispute between the two teams, the liaison is able to use his expertise to find a resolution that aligns with the company’s goals. 2) System Access & Users -- When it comes to system access and users, live by the principle of least privilege. In order to achieve true security maturity in this area, you will need to embed the principle into your tools and day-to-day processes, even if you have already modeled it into your policies. Systematically automating and verifying your user access policies allows you to reduce the risk of human oversight that could result in insider threats. 3) Patching & Vulnerability Management -- Think patching is simple? Think again. According to the 2017 Verizon Data Breach Investigations Report, companies aren’t doing it with nearly enough regularity, giving attackers plenty of time to exploit known vulnerabilities that are months (or even years) old. To catch vulnerabilities before cybercriminals do, your organization’s approach to patching should be automated, standardized, and resilient enough to withstand automatic software updates. 4) Infrastructure Control Plane (AWS Console/API) APIs and management consoles are the functional equivalents of data center access when operating in the cloud. However, securing only your own data center in the cloud would leave your APIs exposed. Therefore, it’s necessary to evolve your security approach as you move to the public cloud by handling management consoles and APIs with the same level of sensitivity as you would a data center. This involves automating the shutoff of access to insecure or potentially compromised systems. 5) Networking With environments that are more complex and interconnected than ever before, traditional network security controls are no longer cutting it. Currently, many security and operations teams are restricting access between systems with network topologies, but it’s necessary to group servers by roles instead and to leverage automation to establish small network paths to model trust between peers. Additionally, architecture should run over the WAN rather than LANs. SecOps maturity in this area, therefore, means modeling authentication and authorization and not simply relying on the underlying network topology to define security. 6) Runtime & Services Considering that operations and security teams both benefit from the standardization of run times and software management, continuous integration, and streamlined software development life cycles, aligning goals should be relatively easy here. Once everyone is on the same page, infrastructure and runtimes can function as a shared utility, allowing engineers to innovate within these common structures. Applying the same principles across teams increases efficiency and helps to minimize the risk of failure.
- Transform DevOps into DevSecOps. Realize all apps are insecure. SQL injections are always present. 38% of cross-eyed scripting. Information leakage in 45% of applications. 40% content spoofing. 23% insufficient transport layer protection. It's getting worse. We expedited the delivery of applications. This increases vulnerabilities. We offer three fundamental technologies: 1) SAST (static analysis security testing) analyzing application code like a compiler and build logic tree and data flow of an application. Shows detected vulnerabilities and suggested remediation. Detect vulnerability as early as possible and fix as inexpensively as possible. 2) DAST dynamic application security testing, an automated hacker. Repository with scenarios. Analyze response to determine if broke or tricked the application. Produce a report with detected vulnerabilities and remediation advice. Need to keep testing on an ongoing basis. Hackers are looking for new types of attacks. Have to make sure new attacks do not penetrate your application. 3) SCA (software composition analysis) analyzes components of your application. Analyze application code, detect open source code and determine if secure, legality of the component, how far behind you are lagging from the most recent releases. Go get a fix. Detect vulnerabilities across the entire lifecycle in the code, the runtime behavior, and the components. With our technology DevOps transformed into DevSecOps.
- Obvious things managing what code gets into the pipeline, projects included, how managed, hardened view of where keep stuff. For us, it’s also understanding what’s going on. We use our own product for monitoring our own product – utilization and ingesting from what and where queries. Need discipline of always having your own practices that are at least as good as what your customer needs.
- From a consulting perspective, we recommend ingraining security into the value stream. Include in value stream mapping. If there are deficiencies, we make security part of the product. We promote it being farther left in the process and help understand how it affects the pipeline.
- Historically it's hard to ensure every time developers build app follow security rules of the organization. Separate flow not part of the build. Now with containers and images, we can have the scanning as part of the build process itself. Developers just click the build now button and the image is automatically scanned. Everything to remediate the problem. If the, the build does not match policy fail it and send it back to the developers.
- Security begins with AWS best practices focused on user management. Clean up account access. Get rid of shared accounts. AWS best practices related to networking and network access. Reverse engineer an environment already built and bake in configurations around security.
Here's who shared their insights with us:
- Tim Curless, Senior Technical Architect, AHEAD
- Will Hurley, Vice President of Software Lifecycle Services, Astadia
- Lei Zhang, Head of Developer Experience (DevX), Bloomberg
- Ashok Reddy, Group General Manager, CA Technology
- Sacha Labourey, CEO, CloudBees
- Logan Daigle, Director DevOps Strategy and Delivery, CollabNet
- Sanjay Challa, Senior Product Marketing Manager, Datical
- Colin Britton, CSO, Devo
- OJ Ngo, CTO, DH2i
- Andreas Grabner, DevOps Activist, Dynatrace
- Anders Wallgren, CTO, Electric Cloud
- Armon Dadgar, founder and co-CTO, HashiCorp
- Tamar Eilam, IBM Fellow, Next Generation Cloud and DevOps, IBM Research
- Mathivanan Venkatachalam, Vice President, ManageEngine
- Jim Scott, V.P., Enterprise Architecture, MapR
- Mark Levy, Director of Strategy, Micro Focus
- Glenn Grant, President - U.S. East, Mission
- Jonathan Lewis, VP of Product Marketing, NS1
- Zeev Avidan, Chief Product Officer, OpenLegacy
- Tyler Duzan, Product Manager, Percona
- Bradbury Hart, Vice President and Chief Evangelist, Perfecto
- Damien Tournoud, Founder and CTO, Platform.sh
- Bob Davis, Chief Marketing Officer and Jeff Keyes, Director of Product Marketing, Plutora
- Brad Micklea, Senior Director and Lead, Developer Business Unit, and Burr Sutter, Director, Developer Experience, Red Hat
- Dave Nielsen, Head of Ecosystem Programs, Redis Labs
- Brad Adelberg, Vice President of Engineering, Sauce Labs
- Adam Casella, Co-founder and Glenn Sullivan, Co-founder, SnapRoute
- Dave Blakey, CEO, Snapt
- Keith Kuchler, Vice President of Engineering, SolarWinds
- Justin Rodenbostel, Vice President of Open Source Applications, SPR
- Jennifer Kotzen, Senior Product Marketing Manager, SUSE
- Oded Moshe, VP of Products, SysAid
- Loris Degioanni, CTO and Founder, Sysdig
- Jeffrey Froman, Director of DevOps and Aaron Jennings, Engineer, Temboo
- Pan Chhum, Infrastructure Engineer, Threat Stack
- John Morello, CTO, Twistlock
- Madhup Mishra, Vice President of Product Marketing, VoltDB
- Joseph Feiman, Chief Strategy Officer, WhiteHat Security
- Andreas Prins, Vice President of Product Development, XebiaLabs
Opinions expressed by DZone contributors are their own.