Where Can We Actually Use DevSecOps?
DevSecOps is great in theory. But where does this approach make the most sense?
Join the DZone community and get the full member experience.Join For Free
DevOps is widely adopted as it has shortened the software and application development life cycle by combining IT operations and software development. With DevOps incorporated in many organizations, they are releasing software, features, and updates faster than ever and with greater changes. This means that there are serious challenges in applying and scaling security testing in these processes without drastically slowing down the time taken for such releases.
Hence, security in DevOps has not been embraced as effectively as DevOps itself. Introducing security checks early on in the development process is crucial for effective security. Although many businesses agree that introducing security early in the development life cycle is important, few actually do so. In spite of the risk of missing security threats early on and the headache of rework by adding security to the app development process too late, many businesses continue to incorporate security far too late in the development cycle.
The key reason being that adding security often slows down the development cycle and reduces the speed and frequency at which software, updates, and fixes are released. Nevertheless, in such dynamic environments, it is important to understand and implement best practices in security to stay relevant and to apply the latest in security tools to keep apps secure and without slowing down the app development lifecycle.
This is where DevSecOps comes in. Although security does slow down software releases, it remains essential as the benefits far outweigh the risk of a security breach. Not only does implementing DevSecOps reduce risk but it also saves rework and time by introducing security early in the development process. This is done by using security tools that can be automated and integrated early on especially during the code commit and the pre-implementation stage. Doing so ensures that the benefits of DevOps such as rapid application development and feature release are still carried out without compromising on security.
DevSecOps aims at creating new solutions for the software development process within an agile framework. DevSecOps unites seemingly conflicting goals, that of security together with fast delivery. This is done in iterations without slowing down cycles. This means security issues are identified as they are encountered and not only after a threat has occurred. With DevSecOps in use, enterprises can use the right tools and support to maintain the speed of their product releases, lower risk, reduce rework and other fixes. DevSecOps aims to measures integrate security with DevOps without slowing down the development cycle.
What Does it Mean to Use DevSecOps?
What does this mean when it comes to practically applying DevSecOps? To understand the uses and applications of DevSecOps, there needs to be a comprehensive idea of what DevSecOps actually is. At first glance, the most self-evident explanation of DevSecOps is simply the addition of security measures to current DevOps tools and practices. However, DevSecOps is a far more complex journey that spans network stacks, application code, infrastructure, and even people. To understand the uses of DevSecOps it is helpful to understand it as having three main approaches.
Technology: This refers to the actual DevSecOps tools and solutions used to add security to the software and app development cycle
Methodology: This is about when and how to apply security to DevOps
People and Philosophy: DevSecOps starts with involving people and garnering a philosophical mindset where development teams take more responsibility for security
Technology and DevSecOps
The current state of solutions for DevSecOps is still in a growing phase. One of the approaches to DevSecOps technology is to simply adapt existing security tools and making appropriate modifications to them and applying them to the new DevOps technologies such as containers, cloud technology and serverless. This is simply adapting existing security solutions to new stacks. While this works for some solutions, it is, however, superficial response to the need for new DevSecOps solutions.
An example for adapting existing security solutions for new DevOps technology can be taken from Trend Micro, which has released new updates that offer security for DevOps but still rely on their existing product. Trend Micro’s DevSecOps solutions provide security solutions for clouds and containers. The company has added features such as automated discovery and protection for cloud workloads on cloud providers. Another feature is its integrated image scanning in DevOps pipelines with continuous threat and vulnerability scanning. This has enabled scalability and agility with deployment scripts and APIs for major environments.
Trend Micro also offers features that support the use of containers. Containers allow applications to run smoothly in any environment, in the data center, or in the cloud. They help deliver applications faster and more consistently, catering to what customers really need. The tradeoff to the speed and environment flexibility is that this creates infrastructure complexity. This is subject to severe security consequences if they are not resolved early on.
Trend Micro helps secure containers through continuous monitoring, which is integrated early into the development process. Automation reduces manual touch points, and when brought into the maintenance and operation of the underlying infrastructure, it detects vulnerabilities and threats early on. These are some examples of adopting an existing security solution to DevOps technology, applied in a traditional security context.
While adopting older security measures to modern DevOps pipelines is acceptable, it cannot work for all such pipelines effectively. There will arise bottlenecks that can only be resolved by creating new solutions in their entirety. Such new solutions can address the new security needs introduced by the adoption of DevOps. Many existing organizations may find it challenging to create new products. However, it is an exciting opportunity for small and flexible startups to look into.
CloudCheckr is an example of a company offering entire new solutions to cater to the security needs posed by DevOps. CloudCheckr has integrated security configurations and activity monitoring for multi-cloud environments. They deliver cloud operations and governance best practices. Their solutions also have hundreds of automated configuration and security checks that strengthen cloud security posture.
They provide best practice checks that allow businesses to meet compliance mandates in different industries by automatically and regularly looking for common vulnerabilities. They provide tools that analyze logs and send alerts when users in a cloud infrastructure fail to comply with governance policies or other threats occur. Their solution helps manage the security issues caused by the changing nature of the cloud infrastructure.
Solutions like this allow admins to monitor changes and alerts when misconfigurations take place. Automation is also a key feature for securing cloud infrastructure due to the impracticality of manual administration over the enormous scale of cloud computing. A good cloud management solution can fix detected vulnerabilities automatically, without human intervention.
Prisma Public Cloud also provides similar solutions such as compliance management where Prisma provides a comprehensive library of frameworks that allow companies to follow compliance requirements at any time. Prisma allows continuous monitoring for vulnerabilities with machine learning, numerous built-in policies and asset classification for advanced threat detection and to monitor suspicious activity. This helps teams proactively monitor and respond through a multi-cloud landscape. Hence businesses can adopt entirely new solutions in DevSecOps or consider existing security measures enhanced with new adaptations.
The lack of new tools and technologies for applying security in a manner that prevents the stalling of the development process without compromising security is an opportunity for many smart businesses to develop DevSecOps technologies. Adopting such technologies is one aspect of truly bringing security into the development cycle. DevSecOps is a far more comprehensive concept that also includes adding security to new methodologies introduced by DevOps to the software development process.
Methodology and DevSecOps
Effective DevSecOps is not just about tools or technology. It is also when and how security is applied to DevOps. The popularity and adoption of DevOps has led to enterprises adopting continuous delivery (CD) and microservices as new methodologies in software and applications development. CD and microservices lead to faster development and small, granular components. However, this also means that these break current security methodologies. With the adoption of CD, stopping for checks and audits sets back the development process and is highly undesirable. To overcome this issue, automated checks in the pipelines are essential to retaining the speed of development without incurring the risk of security vulnerabilities.
To address this, SAST, or Static Application Security Testing, tools were used for security scans. This was highly inefficient as such tools took too long for single code scans in a frequent build environment. Many SAST tools introduced incremental scanning to test only the code that changed. This was faster and could fit within the CD pipeline but as in the previous section on technology, this was simply a superficial adaptation of an existing security tool which is not suitable over the long term or for other DevOps processes.
For complex situations, such as the movement from a monolith application to microservices, i.e. moving from a single application to smaller, interconnected services, such superficial adaptations are unacceptable. Solutions to simply monitor a single entity which is then adapted for microservices does not work. In microservices, data flows between dozens to hundreds of different services. Hence, security measures need to change to meet the requirements of this more dynamic and complex environment. Security measures must identify attacks in real time and must be able to scale to monitor a large number of services that each have significant data flows between them.
New solutions are necessary to tackle these problems. This can be done by tracking service-to-service communication, flagging unauthorized connection attempts, or by aligning security insights for each service with their respective operations dashboards. Startups like Aporeto and SignalSciences have developed solutions that tackle security issues brought about by embracing new DevOps methodologies.
Aporeto offers DevSecOps solutions for cloud technology through user-to-service and service-to-service authentication, authorization, as well as encryption. Users have uniform API access across services and a combined user and app identity policy enforcement. It removes the need to build an identity management infrastructure. Aporeto’s solutions enable the integration of vulnerability assessments in CI/CD, threat and vulnerability management for container images and many other features that truly reflect the DevSecOps movement. SignalSciences, another startup, focuses on providing a web protection platform that runs as a module in major web servers. The platform identifies and uses custom signals for account takeovers, flaws in business logic flaws, and monitor application flows.
Focusing on the technology aspect of DevSecOps does not give a clear picture of what DevSecOps is or how it can be applied across an enterprises application development cycle. Undertaking DevSecOps within methodologies is broader than merely focusing on technology alone and it offers value over time. Businesses incorporating security into their development cycles will require support such as in securing microservices with supporting containers. Applying security to DevOps methodologies protects the product, the business, and users in the long run by adopting a more rounded and robust approach to security.
People, Philosophy, and DevSecOps
Probably, the most challenging aspect of incorporating DevSecOps is creating a changed mindset and adopting a new philosophy towards application development throughout an enterprise. At its core, DevSecOps is about shifting the responsibility for security entirely from the shoulders of security specialists to sharing responsibility across different teams, especially with the development team.
Ultimately, the term DevSecOps is a convenient label that helps normalizes the idea that security measures and responsibilities are to be shared around the table, and security should be introduced early into the app development process. By now, it is evident that applying security to DevOps is more than adopting new technology. It is a far broader topic that includes infrastructure, network stacks, code, and, above all, people.
It is necessary to remove Silo thinking and practices within teams and to improve and increase communication between development teams, operations teams, and security teams throughout the development process and all its stages. By involving developers in security, there are a number of changes that need to happen for successful DevSecOps implementation. Developers need to write code that is more operable while operations teams must treat infrastructure as code. Enterprises must use relevant techniques and tools to scale security across the development and deployment of software.
Since developers and operations teams are to be more involved in security, it shines a light on a gap in existing tools to make DevSecOps more easy to adopt. Development tool companies must consider and work towards adding security to their products and solutions features as adding security to development tools is easier than the other way around. One of the main reasons why getting developers to embrace security is challenging is because of the lack of tools. Some of the tools currently being used are GitHub Security Alerts, OWASP Dependency Deck and DepShield. As DevSecOps becomes more common, it is likely that comprehensive development tools will appear that enable developers to incorporate security early on in the application development cycle, without loss of speed.
Making DevSecOps Work in Your Organization
DevSecOps is gaining in popularity as the benefits of putting security measures in place early in the app development cycle become more and more evident. With the widespread adoption of DevOps, businesses are able to release software, applications, fixes, and updates at a much faster rate. The fear that adding security early in the app development cycle will slow down the process is a valid concern, but new tools and techniques in DevSecOps are emerging that ensure that the application development process is disrupted as little as possible.
It is essential for businesses to adopt DevSecOps tools and practices as the risk of a security breach occurring creates a heavy penalty. Incorporating security into the development process can be done without stalling the application development lifecycle. Doing so means incorporating security measures in more than one area. DevSecOps is not merely about tools and technology, but it is a broader concept that involves methodologies and people. One of the major concerns that DevSecOps tries to tackle is to get developers to share the responsibility for security and to incorporate security early into the development process. Businesses seeking to implement and adapt DevSecOps should start with introducing the concept to their people first, which will make adopting tools and methodologies easier.
Published at DZone with permission of Aman Juneja. See the original article here.
Opinions expressed by DZone contributors are their own.