By Gilad David Maayan
The marriage of software development and operations in the form of DevOps is now a well-established concept and has mostly replaced traditional waterfall development models.
However, security is one area that is still often overlooked in this methodology.
DevOps is a mindset that can and should be extended to incorporate security into the fabric of the software development lifecycle (SDLC).
The DevSecOps methodology aims to bake security into the SDLC, taking advantage of tools and practices to shift security to the left.
However, in essence, it is a cultural approach that requires the embrace of everyone involved.
Read on to learn about some of the security techniques that should be incorporated into your DevOps model.
Security Techniques for DevOps
Container security management
Containers are portable packages of data that contain dependencies and other relevant information in standardized units.
Containerization, typically in the form of Docker images, is incredibly popular among agile enterprises, as it allows workloads to be easily transferred between environments.
Today, Kubernetes dominates the market in terms of container orchestration, and this is partly because it readily integrates with numerous open-source and third-party tools and services.
Containers have benefits for security, as they provide isolation and eliminate dependency conflicts.
However, containers can also present security risks, as they often use open-source software, which may contain vulnerabilities.
For example, Docker containers have been found to expose users to crypto-mining.
To reduce the risk, it is important to implement container security practices such as specialized vulnerability management: traditional vulnerability management is usually insufficient given the incredibly short lifespan of containers.
There are a number of proprietary and open-source tools for Docker security.
Organizations should also implement policies to ensure that only approved images are used.
Deploy secure microservices
Microservice architectures are a way to structure applications as collections of services, enabling fast and frequent software delivery.
While microservices are great for efficiency, they create bottlenecks and add complexity when it comes to security.
For this reason, it is important to design a security strategy for the use of microservices, shifting the security burden to the left and ensuring the consistent implementation of security measures.
![Prometheus is an open-source software application used for event monitoring and alerting.[1] It records real-time metrics in a time series database (allowing for high dimensionality) built using a HTTP pull model, with flexible queries and real-time alerting.](https://americansecuritytoday.com/wp-content/uploads/2019/09/Prometheus.jpg)
One important factor in securing microservices is access control.
You can use authorization protocols like OAuth to help confirm user identity and restrict access to authorized users.
Another option to consider is the use of a distributed firewall, which offers granular control over each microservice.
There are also monitoring solutions that have been specifically designed with microservices in mind, such as Prometheus.
Security automation
You should automate everything you can, especially if it is security-related. This will save time and reduce issues resulting from human error.
You may still need to perform manual tasks, such as threat modeling, but human time and expertise should be reserved for the essentials.
Automated security tools for DevOps include:
- Static Application Security Testing (SAST)━allows you to detect vulnerabilities early, before the application is deployed (when it is static).
- The drawback is that it can generate a lot of false positives.
- Dynamic Application Security Testing (DAST)━detects vulnerabilities later in the SDLC, and can work with running applications.
- It provides quick fixes but you should not rely on DAST alone.
- Rather, it is best to combine it with SAST to provide fuller security coverage.
- Interactive Application Security Testing (IAST)━helps catch security events that other tools may miss.
- A closely related tool, a form of IAST, is Runtime Application Self-Protection (RASP), and provides the added capability of blocking attacks.
- RASP uses the information gathered from interactive analysis to remediate known vulnerabilities, and is especially useful for protecting legacy applications.
- Software Composition Analysis (SCA)━helps you to maintain visibility over your software components.
- It works by scanning your applications to identify the open-source and proprietary components that they contain.
- This is essential as you need to know which components you are using if you are to keep track of the vulnerabilities affecting them.
Establish an open-source policy
Your security profile is only as strong as your planned policy.
Enterprises must have governance policies in place, providing clear instructions for employees, customers and third parties, which will help with the implementation of good security practices.
This is especially important when using open-source software, which is prone to a large number of known vulnerabilities.
Regulations such as the General Data Protection Regulation (GDPR) must be considered when planning your policy, and the guidelines provided for such standards are a good place to start.
There are governance tools you use to help design and enforce your policy, which can track usage and keep you updated regarding vulnerabilities and patches.
You can also refer to vulnerability lists provided by the open-source community, such as the OWASP Top 10.
However, it is also important to ensure that your DevOps teams are familiar with the procedures you’ve established, and that they are adequately trained to meet the requirements of your security policy.
Conclusion
Incorporating security into your DevOps process can be a challenge, especially if your DevOps teams are accustomed to treating security as an afterthought, or as someone else’s responsibility.
However, with the help of automation and governance tools, as well as clear policies for vulnerability management, access control and the management of containers and microservices, you can keep your security profile up-to-date while maintaining fast and frequent delivery cycles.
The bottom line for ensuring security in DevOps is that you need to apply a cultural change and extend the DevOps philosophy to cover security as well.
This will allow you to shift security to the left and maintain security throughout the SDLC.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:
- Provides named sources
- Reported by more than one notable outlet
- Includes supporting video, direct statements, or photos
