DevSecOps is a set of practices, cultural approaches and tools that bring together software development (Dev), IT operations (Ops) and security (Sec) to increase an organization’s ability to deliver applications and services at high velocity, securely.
With DevOps approaches and methodologies, new application functionality can be delivered more rapidly and frequently updated with incremental updates. The entire build and delivery processes for applications are typically highly automated, and applications typically comprise multiple microservices and are often deployed in containerized and cloud environments. DevOps together with cloud based elastic infrastructure accommodates surges in demand through auto-scaling processes that spin up new computing resources (virtual machines or containers) and deploy more instances of an application as required. Enabling organizations to rapidly response to changes in demand while only paying for the computing resources consumed provides immense business value.
However, while offering tremendous business benefits, ensuring the security of applications becomes more challenging and often more critical. For example, consider the increased levels of automated processes, building and running applications fragmented into micro-services (or containers) that need to communicate with each other, as well as the use of diverse tools sets, including code repositories. To build the applications. The result is that there are far more services, applications, and tools that need protection in DevOps environments than traditional development environments.
DevOps has changed the way IT security needs to be achieved. With the shift from long-planned deployments of monolithic applications to agile development environments, security needs to be highly integrated into both development and operations processes. DevSecOps starts with secure development lifecycles and defined security patterns for the services and applications built and ends with automated security for automated operations.
Despite its many benefits, DevOps presents new risks and cultural changes that create security challenges that cannot typically be addressed by conventional security management solutions and practices. These traditional approaches are often too slow, costly or complex to support automated software delivery and deployment into the cloud or as a container. These challenges include:
Privileged Credentials Used in DevOps Are Targeted by Cyber Attackers. One of the biggest security challenges in DevOps environments is privileged access management. DevOps processes require the use of human and machine privileged credentials that are very powerful and highly susceptible to cyber attacks.
- Human access: With high-velocity processes, DevOps practitioners require privileged access across development and production environments.
- Machine access: With automated processes, machines and tools require elevated privileges (or permissions) to access resources with no human involvement. Examples include:
- Automation tools: Ansible, Puppet and Chef
- CI/CD tools: Jenkins, Azure DevOps and Bamboo
- Container management tools: Docker and Linux Containers (LXC)
- Container orchestration tools: Kubernetes, Red Hat OpenShift, Pivotal, Cloud Foundry
Tier Zero assets, such as Ansible and Jenkins, have access to credentials used by many other tools.
Once attackers obtain privileged credentials, they can gain full access to DevOps pipelines, sensitive databases—or even to an organization’s entire cloud. Attackers recognize this, and increasingly seek out privileged credentials including passwords, access keys, SSH keys and tokens, as well as other types of secrets such as certificates, encryption keys and API keys. Attackers can exploit unsecured credentials in DevOps environments, resulting in cryptojacking, data breaches and destruction of intellectual property.
Developers Are Focused on Velocity—Not Security. Focused on producing code faster, DevOps teams often adopt insecure practices outside of the purview of security teams. Such practices can include leaving embedded secrets and credentials in applications and configuration files, reusing third-party code without sufficient scrutiny, adopting new tools without evaluating them for potential security issues and insufficiently protecting DevOps tools and infrastructure.
Tool-centric Approaches to Secrets Management Create Security Gaps. DevOps tools often have some built-in features for protecting secrets. However, these features don’t facilitate interoperability or securely sharing secrets across tools, clouds and platforms. Often, DevOps teams the built-in features of their individual tools to manage secrets. This approach can make it difficult to adequately protect the secrets, since they cannot be monitored and managed in a consistent manner.
Steps for Enabling DevSecOps In Your Organization
Following are steps organizations often take to achieve DevOps security at scale while addressing the risks of privileged access and aligning to DevOps culture and methods:
- Instantiate security policy as a code. A cornerstone of DevOps is the concept of “Infrastructure as Code” (sometimes referred to as immutable infrastructure), which supplants the traditional model of manually administering and configuring servers and software. By applying this concept to security—instantiating and managing security policy as code—organizations can eliminate manually intensive, error-prone configuration processes.
- Establish separation of duties. Distinct roles and responsibilities should be clearly defined within a DevOps team:
- Developers should focus on creating applications to drive business results.
- Operations should focus on delivering reliable and scalable infrastructure.
- Security should focus on safeguarding assets and data and mitigating risks.
Interactions between each group can be codified in a written security policy. For example, developers create the security policy that declares what privileges their application or service requires. Security staff then review and approve the security policy and operators make sure the application’s deployment goes as expected.
- Integrate security into CI/CD practices. Too often in DevOps, security is treated as an afterthought and performed too late in the process, if at all. Then the potentially substantial last-minute changes needed to address vulnerabilities result in delayed releases. Forward-looking organizations are using advanced workflow scheduling and management tools like Kanban to model flows, accelerate development and eliminate inefficiencies. Additionally, security teams are increasingly deconstructing applications into microservices to simplify security reviews and changes.
- Take a proactive approach to security. Strong security practices should be instituted throughout the application lifecycle to reduce vulnerabilities, improve security posture and mitigate risks. Good DevOps security hygiene practices include:
- Address security requirements and potential vulnerabilities holistically, since attackers may only need to exploit one vulnerability to carry out their mission.
- Reduce the concentration of privilege in build automation tools and ensure that code repositories do not expose secrets.
- Maintain secrets used by machines and people (passwords, certificates, API keys, tokens, and SSH keys) in a secure, highly available vault—out of source code and off of developer laptops and user-accessible storage systems. Rotate secrets regularly to minimize exposure.
- Apply the principle of least privilege to ensure machines and people only get access to the resources they absolutely need.
- Establish a baseline for normal usage patterns to detect anomalies so that malicious users are traceable and cannot steal credentials.
- Instill accountability by recording how credentials are used. For example, for human users, consider keystroke or video logging of the session.
- Provide each machine its own unique identity in order to audit and monitor its access to secrets.
- Run vulnerability scans and conduct penetration tests to improve cybersecurity posture.
- Educate developers on security threats and best practices.
- Foster close cooperation and collaboration between security and development teams.
- Automate security processes. DevOps uses automation to accelerate application lifecycle management and remove human latency. Similarly, DevOps security should leverage automation to minimize human interaction and manual intervention. For example, by automatically rotating secrets—passwords, keys, certificates—organizations can prevent attackers from gaining access to DevOps tools, access keys or systems for an extended period of time. Automated security procedures can also be used reactively if a breach is detected. For example, privileged sessions can be automatically terminated and credentials automatically rotated the moment a security breach is identified.