Five Ways To Get Started With DevSecOps
Security Analyst Reviews This 'Emerging' Space
Integrating, and thus automating, security via the continuous integration and delivery (CI/CD) processes of DevOps, an approach referred to as “DevSecOps,” is a topic that had, until somewhat recently, been discussed largely only at DevOps and cloud-specific forums and events. But DevSecOps is coming of age.
The ongoing adoption of DevOps by enterprise organizations, and the growing interest in bringing security along for the ride, is getting the topic a bigger stage, with DevSecOps being presented in sessions at more mainstream events such as RSA Conference, the CISO Summit at Black Hat and VMworld. The adoption of application containers and the Kubernetes environment that orchestrates their lifecycle across the build-ship-run continuum has also been a catalyst for CI/CD integrated security. Because DevSecOps starts with a cultural shift, leverages CI/CD methods and requires purposeful controls, it is an amorphous concept not only hard to define, but challenging to make actionable.
ESG research highlights the state of DevSecOps with respect to the adoption of DevOps and interest in DevOps security use cases. DevOps is no longer employed exclusively by cloud-native SaaS brands, as evidenced by the 90% of respondents from enterprise organizations who shared that they have, plan to, or are interested in employing a DevOps methodology to automate the continuous integration, deployment and monitoring of code and infrastructure. Security could well be – and arguably should be – a prime use case for DevOps, as indicated by the 40% of participants in ESG’s research who are evaluating security use cases that leverage their DevOps processes. Therein lies the DevSecOps adoption gap – a need for specificity on DevSecOps use cases.
The shift-left analogy to convey the need for, and benefits of, integrating security into modern application development and code delivery methods is hard to argue with; it’s the stuff of motherhood and apple pie – writing secure code reduces the risk of an unintentionally introduced vulnerability from being exploited. But shift-left connotes a strong association with application security, a critical but not complete scope of how we should think of DevSecOps. As such, we need a broader definition, one that also shifts security to the right. To get started, here are five ways to gain internal alignment, define requirements and employ the right tooling to leverage DevOps to automate security.
Agree security is a shared responsibility. Dev and security teams can’t pass the buck when it comes to securing modern infrastructure. While the notion of security as a shared responsibility is typically associated with the relationship between a cloud service provider and the customer, it also serves as the basis for bridging the gap between DevOps and security. Hybrid cloud security is indeed a team sport, with ESG research highlighting the fact that many departments have a role in defining hybrid cloud security policies, including AppDev and DevOps teams, line of business owners and security and networking teams. Organizations need to reimagine the defining of security policies and the implementation of those policies as cross-functional endeavors and shared responsibilities.
Orient DevSecOps around risk. Developers are chartered with writing and delivering code into production, and cyber security pros with making sure the entire stack is secure; too often the speed of the former and diligence of the latter make these objectives at odds. Common ground can be found by discussing the risk profiles of different apps. For example, internal-use-only applications often pose less risk to the business than externally facing applications, especially those that capture and retain sensitive data. It is through such a lens that developers and security teams should strive to find agreement on how to mitigate the risk associated with the most business-critical applications.
Make CI/CD tool chain integration a requirement. We should stop looking for the network tap when it comes to cloud security and, instead, employ security controls with a DevOps design center. Native integration with the continuous integration and continuous delivery (CI/CD) tools the dev team is already using must be front and center on the requirements list for cloud security offerings. Necessitating a tool change, or additional code that bolts on a security control, will just create friction and won’t yield repeatable automation. More specifically, support for tags that denote workload roles, awareness of temporal workload instances, APIs and out-of-the-box scripts for integration with orchestration tools such as Chef, Puppet, Ansible and Kubernetes, and build tools such as Jenkins and Bamboo allow for easy integration and happy developers.
Embrace Agile project management. In the context of security as a shared responsibility, product owners should also be cyber security champions. That starts with authoring security-related user stories for a future sprint – ideally in the near future. The cyber security team should collaborate with the product owner on crafting and prioritizing those user stories and should join the daily scrum stand-ups to embed themselves in the team.
Author user stories by stage and environment. So, this is really the meat of it – writing user stories for the pre-deployment and runtime environments that span the continuous integration and continuous delivery stages of DevOps. In addition to automating composition analysis and static code analysis as an integrated element of the software development phase, DevSecOps user stories should also cover automating security and compliance configuration assessments, as well as vulnerability scanning and remediation in the test environment and as part of the build phase. And, finally, DevSecOps should shift-right by applying runtime detection and prevention controls for when code is shipped to production. Such user stories will assure that security processes and controls are truly bolted in at each stage of an app’s lifecycle.
Another cyber security theme tied at the hip with DevSecOps is the perspective that security is fundamentally broken because its processes and controls are too often bolted on versus bolted in. Whether DevSecOps is the right term for CI/CD integrated security is beside the point; DevSecOps represents an opportunity for organizations to improve their security posture by bolting security into how modern infrastructure is developed, delivered, monitored – and secured.
Doug Cahill is a senior analyst covering cyber security at Enterprise Strategy Group drawing upon more than 25 years of industry experience across a broad range of cloud, host, and network-based products and markets.
Find him on Twitter: @DougCahill
Click here for more information on ESG Cybersecurity.
Be Sure To Check Out: Certifications A Part Of 'Vicious Circle' In Cyber Security Space?