Embedding Security in a DevOps World

[article]
Summary:
Faster DevOps processes also create new challenges. It was difficult enough to add security into a traditional waterfall software development lifecycle with monthly or quarterly releases, but now software updates are released several times a day! What can developers do to build and maintain more secure applications? Here are some ways to encourage better security practices throughout the DevOps lifecycle.

Software development is no longer a rigid and lengthy process. DevOps and agile code development have transformed application development into a fast-moving, always improving process.

For users, this delivers more features and improved experiences. But for security, faster DevOps processes create new challenges that the industry is only starting to catch up to. It was difficult enough to add security into a traditional waterfall software development lifecycle with monthly or quarterly releases, but now software updates are released several times a day!

What can developers do to build and maintain more secure applications? Here are some ways to encourage better security practices continuously throughout the DevOps lifecycle.

Shift Security Testing Left

“Shifting left” is all about adding security earlier into the development process. It means supporting developers so they can find and prevent defects as soon in the software delivery process as possible. This saves time by not having to repeat deployment steps, and it gives developers more time to focus on creating great software.

Shifting left is even more important for software meant for the cloud. The greatest source of risk in cloud computing is misconfiguration of cloud services. Empowering developers to find and fix these errors earlier in the process—ideally, exactly when the error is made—saves costs and allows developers to use their top-of-mind knowledge to resolve the problem.

Code Securely throughout Development

Unfortunately, there is no perfect product that tells developers every possible security error in their code as they are writing it. The next best solution is to review the source code as it is uploaded into the DevOps pipeline, looking for known vulnerabilities and code weaknesses that make the code susceptible to exploitation.

Static application security testing (SAST) solutions should be leveraged to identify insecure code and provide almost immediate feedback to developers. Using SAST products automates the scanning and reporting of known errors, as well as stops code from moving to the next phase of the DevOps pipeline, keeping developers accountable and saving downstream testing time. Since SAST often gives false positives, results must be manually reviewed prior to remediation efforts.

Beyond SAST, organizations must securely manage passwords and keys used to access environments during the deployment process. Strong access-control mechanisms can avoid the often public embarrassment of leaking private keys and credentials and allowing your environments to be hacked.

Test Dynamically

Once deployed to QA and, ultimately, production environments, applications should be continuously tested and monitored for unforeseen vulnerabilities using dynamic application security testing (DAST) and runtime application self-protection (RASP) solutions. DAST tools automatically test for known vulnerabilities such as SQL injections, command injections, and cross-site scripting (XSS). However, DAST knows nothing about the purpose of your application; it provides necessary but not sufficient amounts of security testing, so manual security testing also should always be part of your application security process.

For organizations in the cloud, consider using a cloud provider’s native security tools to discover cloud environment misconfigurations or violations of established best practices. Cloud security tools complement DAST and RASP solutions by automatically enforcing cloud security policies and taking corrective action or notifying security personnel when something isn’t set up properly.

Monitor Security

Three powerful techniques add protection to deployed applications: RASP, web application firewalls (WAF), and containerization. Each of these solutions can help protect organizations from attacks based on existing vulnerabilities, or even some zero-day vulnerabilities, when deployed and managed correctly. RASP, WAFs, and containerization can significantly reduce the application attack surface, provide increased capabilities to identify and respond to successful attacks in real time, and give better visibility into the overall effectiveness of existing security controls, all while minimizing the impact to the speed of development activities.

RASP—which, again, is runtime application self-protection—is built in or linked into an application, allowing it to control execution at runtime to detect and prevent attempted attacks in real time. RASP solutions add an essential layer of visibility and protection that was not possible until recently. Since they are built into the application, they see all activities occurring throughout the entire application stack, giving security teams greater insight into exactly how applications are being attacked, as well as the impact of every attack.

WAFs sit between the user and the application to identify and prevent attacks that leverage web application security flaws, such as SQL injection, XSS, file inclusion, and security misconfigurations. Unlike DAST solutions that test for known vulnerabilities in common scripting engines and languages, WAFs seek to provide a broader solution at the network level.

Containerization is another great technology that can add security to your organization, but only when it is done right. Tools like Docker and Kubernetes, which are excellent for packaging and orchestrating containers, fall into this category. Containerization can protect networks by isolating specific applications from each other and from attackers, but containers can still suffer from vulnerabilities that allow exploits or hypervisor escapes. Because expected runtime states are programmed into deployment configuration files, it is possible to monitor for the misuse of container infrastructure with log correlation and security tools.

Foster Continuous Improvement

More important than identifying the right security tools and putting security practices in place within your DevOps pipeline is to continuously improve your software development and application security posture—it’s what DevOps is all about, after all. Each time you discover a better, faster, more effective security assurance approach, have a method to securely incorporate it into your DevOps process going forward.

With speed of development becoming a competitive differentiator, maintaining agility in security is the key to success in a DevOps environment.

About the author

AgileConnection is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.