In one of my previous blog, we discussed about 'DevOps' and it's life-cycle. Now we discuss about 'DevSecOps'. As the name suggests, DevSecOps is the practice of integrating security tasks within DevOps processes. In other words, DevSecOps is the evolution of DevOps that emphasizes the importance of security in software release pipeline. In DevSecOps methodology ,security is considered a part of everyone's job and purpose is to build the mindset that "everyone is responsible for security".The DevSecOps methodology creates a ‘Security as Code’ for effective collaboration between the development/devops team and the organization’s security teams.
Implementation of DevSecOps (source: https://levelup.gitconnected.com)
Why we need DevSecOps:
With more demand of DevOps culture,Agile methodology and Cloud services,traditional security is no longer an option. Traditional security operates once the application is ready for production release. Security defects can be identified by IT Security team and corrected by development/devops team/business operators before the system is released.Identification of security concerns, caught at the 11th hour, requires that the production release date be delayed, aggrieving the development team and line of business owners alike. Sometimes, to keep release date unchanged, there is no time to fix security issues and business owner has no other option rather than releasing the product with security loopholes. If security is integrated from the start of the software development life cycle , we can tracked down the glitch and eliminated it on the go and avoid longer development life-cycle.
This is the reason for introducing DevSecOps, which should eliminate to the bottleneck effect of older and traditional security models and close the gaps between I.T/Development/DevOps team and Security team while ensuring fast,safe delivery of code in a secure way. In modern DevOps methodologies, where open source software/tools are widely used by organizations to build their applications.However, these tools have their own vulnerabilities. Using DevSecOps model, we can introduce the concept of security right from the start of the software development life-cycle to minimize vulnerabilities in software tools/code and push admins for regular upgrade and patches.
Here are some key advantages of DevSecOps :
Teams catch security vulnerabilities during development, instead of having reported them just before production release, where the delivery date is affected, and the company's reputation takes a hit.
More effective automated builds and quality assurance testing.
Better ROI ( return of investment) in existing security infrastructure and improved operational efficiencies across security and the rest of IT.
Better communication and collaboration between I.T teams and security team.
More Security Automation means that security teams can spend less time to track common security issues and dedicates more times in other high value work, boosting their agility and speed.
Achieving DevSecOps:
So how can we achieve DevSecOps culture in organizations? Here are some suggested approaches for DevSecOps Implementation:
#1 Secure Application Source Code/Repository: Securing code repository is one of the most important aspect of DevSecOps practice.Here are some suggested approaches for this:
With the rise of open source tools and software,many third party components,libraries and frameworks are acquired from public repositories.Chance is there that malware exists in most public repositories and some of the most popular software components in use today are known to be vulnerable. If the software in public repository is pulled into internal systems, malware is bought into on-premise environment and and can be propagated to production systems. So recommendation is to scan the software for known vulnerabilities at the time of on-boarding. Internal systems should be protected by Firewall systems to prevent from outside attackers.
For on-premise repositories also, these must be scanned and monitored on an ongoing basis to ensure threats do not penetrate the security parameters.Application source code is valuable intellectual property.Cleanup login credentials from code, tightly control access,removing sensitive data,rotation of keys and access tokens are some examples of best practices to secure on-premise repository. Organizations's GitHub configuration must be maintained and administered on an ongoing basis to ensure that access is not broader than necessary.
#2 Secure Containerization: As the container adoption is getting increased in DevOps world,
we should also define best practices for container security to not only protect running containers in production, but also secure containers across it's life-cycle.Containers running micro-services must be isolated from the network and each other. Vulnerabilities can impact container image just like any other legacy framework and that',s why,regular scanning of images for vulnerabilities and compliance issues is absolutely mandatory.
Continuously monitoring registries for any change in vulnerability status is a core security requirement, in addition to protecting the operating system that hosts container environment.
Some of the popular open source tools for container security are Anchore,Dagda,OpenSCAP and Falco etc.
#3 Securing Automated Build: Continuous Build is a common practice in DevOps culture and securing automated build process is another key goal of DevSecOps methodology.
Typical CI/CD Pipeline Architecture ( Using Jenkins):
Source : https://dzone.com.
Let us consider a typical CI/CD pipeline architecture using Jenkins.
A commit starts the process when the developer checks in code.
CI server launches build process.
Automated unit tests are part of build process.
Review build status.
Build server delivers build artifacts to appropriate target.
Most enterprises configure a repository manager like Nexus or Artifactory inside their firewall to store libraries and build artifacts. As we discussed earlier, Malware and vulnerabilities might exists in most common component libraries pulled from third party repos or even in on-premise repository as well. So vulnerability detection and monitoring must be done after build process to secure automated build. For example,OWASP Dependency checker is one of the open source tool that detects vulnerabilities and their report their severity levels.
SAST and DAST are two very important concepts while we are injecting security into CD pipelines.
Alongside detecting violations in coding best practices, static code analyzers detect security vulnerabilities in code and libraries This is called SAST (static analysis security testing).
SAST tools can be treat as white-box testing, where the tester knows information about the system or software being tested, including an architecture diagram, access to source code, etc. We need to choose a SAST scanner that’s compatible with the programming language,we are using to develop our application.
Raxis, DeepScan,Kiuwan,Gamma are some examples of static code analysis tools.
In contrast to SAST tools, DAST(dynamic analysis security testing) tools can be thought of as black-hat or black-box testing, where the tester has no prior knowledge of the system. They detect conditions that indicate a security vulnerability in an application in its running state. In DAST, a security analyst attempts to hack an application in the same way as attacker would do. Penetration tests are a kind of DAST that use external programs to interrogate applications using exposed API and HTTP end-points.
CheckMarx,Veracode,Appknox are some example of DAST tools.
Apart from above mentioned approaches, here is some additional checklists specific to DevSecOps methodology:
Security Training for Developers/DevOps/I.T engineers to make them aware of guidelines for every security aspects.
Encryption of data between apps and services.
Using secure API gateways.
Automate security upgrade and patches where possible.
Continuous Audits and remediation.Should be prepared for an audit at any time by always staying compliant.
Automate the build of environment, minimizing unauthorized access.
Conclusion:
In summary, to return maximum value to the organization, a flexible DevSecOps implementation will not only seamlessly integrate security and compliance scans into DevOps processes, but also find and fix security and compliance concerns. Security is integral part of any business process and having DevSecOps implemented, it can deliver a sustainable competitive advantage to organization. DevSecOps is still a new thing and is evolving quickly. Hopefully, this article gave you a starting point and you can use in the future to improve the security of your applications.