Integrating Security in DevOps
It’s safe to assume that if you aren’t yet considering DevOps, the market may soon decide for you as enterprises orient themselves around faster application development delivery cycles. DevOps is a culture, movement, and practice that enables collaboration between development and operations teams throughout the entire software delivery lifecycle, from design and development to production support.
But the growing popularity of the continuous delivery model also poses new operational and cultural challenges when organizations consider how best to fold security into the mix.
While the process has been accompanied by the usual growing pains, any inconvenience is outweighed by gains as organizations understand that incorporating security into the process mitigates many risks before damage is done. DevOps needs to fully embrace security into their processes, while the security side needs to navigate the cultural transition to DevOps.
Many organizations are already integrating security with business outcomes in mind, or are planning to do so — 55% of organizations polled in “Reaching the Tipping Point of Web Application and API Security,” a report we conducted in partnership with Enterprise Strategy Group (ESG), currently have multiple teams responsible for securing web applications but plan to merge these responsibilities in the future.
This integration is what we call secure DevOps (some call it DevSecOps), a movement joining security with DevOps throughout the entire service lifecycle. If your organization is among those looking to unite your DevOps and security functions, here are a few things to keep in mind:
1. Think beyond gated functions
Culture is the foundation of any business function, and that’s especially true for DevOps. As security makes the cultural transition to DevOps, security professionals must recognize that if security blocks progress and innovation, it will be ignored and marginalized.
Building or fostering a culture of gating functions surrounding security is not a sustainable or forward-thinking model. Security must find a way to partner with development to achieve the greatest synergy.
At the end of the day, cultural resistance on both sides can negatively impact your organization’s shift to secure DevOps. Security and development teams will require a high level of cross-functional collaboration and centralization across tools, policies, and processes.
2. Deputize security champions across your organization
The push for more secure DevOps doesn’t have to begin and end with your security team. Think across your organizational landscape and identify security champions who can galvanize others to make decisions with security in mind.
You can’t solve enterprise security by simply hiring additional resources — there isn’t enough security talent available to fill the current needs, let alone future growth. Instead, the most effective security-focused organizations are discovering ways to deputize security champions across their organization.
3. Improve your feedback loops
The worst feedback loop when it comes to security is the breach feedback loop — the one where your company’s name is in the headlines for all the wrong reasons. Feedback loops are foundational yet somehow, software development struggles with the concept. If security is to be successful in the new, shorter DevOps cycles, your feedback loops must improve. Once your organization orients around a fast delivery cycle, your security team needs to put rapid feedback loops in place.
Gaining insight into the quickly changing runtime environment gives security the ability to collaborate with development and operations to respond to an event before it becomes an incident. Once you have proactive web protection in place, you create a feedback loop for security and DevOps teams. You’ll be able to answer questions like:
Are you experiencing a higher volume of logins?
What about password changes?
Have you seen more accounts created in the last hour than normal?
These are all subjective questions that are specific to the current business state. More than likely, some of these metrics are already being tracked within your organization, but aren’t visible throughout. Using a next-gen WAF (web application firewall), your enterprise security team can create feedback loops to check for anomalous behaviors that indicate current or successful attack signals.
4. Consider the security implications of “everything as code”
“Everything as code” (also called “infrastructure as code”) is the practice of expressing everything that’s needed to create, run, test, change, monitor, secure, and destroy infrastructure — and the system as a whole — as code. It allows DevOps teams to implement a repeatable and scalable approach to tasks that would otherwise be manual and helps reduce human error.
However, the broader goals of infrastructure as code have security implications to consider:
Version-controlled artifacts
Version-controlled artifacts should describe the system and all its components. This keeps configuration out of wikis and documents and in a versionable, referenceable state. Also, the configuration management of the system should be in a running state.
Test-driven development and integration testing
Test-driven development and integration testing should become common practices. Write tests for infrastructure code as well as application code while under development. Writing tests while creating your infrastructure asserts a desired state and provides a test suite for any efforts around CI/CD.
Distributed computing and scaling
Without treating infrastructure as code, scaling is difficult and distributed computing (cloud) becomes almost untenable. Seeing distributed computing and scaling as desired outcomes guides the development practices.
Software supply chains
Software isn’t merely the hundreds or thousands of lines of code that are written by developers. It’s composed of much more, from dependencies to the OS to the virtualization framework. Infrastructure as Code encourages software supply chain management by introducing specificity and an auditable log for the actual runtime of the system.
Now it’s up to you
If you’re just getting started, the best place to begin is by creating security feedback loops. This puts security instrumentation in your production applications and creates feedback to developers, operations, and security. This level of instrumentation supports faster development cycles and can help change the perception of security in your organization from the “inhibitor to innovation” to an accelerator of innovation.
Download our full report “Reaching the Tipping Point of Web Application and API Security” to learn more about the challenges organizations face when it comes to secure DevOps and the types of tools they need to be successful.