DevOps and security: (Sec|Dev|Ops){3}
Integrating security into DevOps has many names (DevSecOps, DevOpsSec, SecDevOps). Let's demystify the concept!
DevOps is a modern set of concepts that revolve around a rapid release schedule. This release schedule necessitates a heavy reliance on automated tool chains. In the DevOps mindset, developers also take up the roles of both testers and operations personnel.
The convergence of DevOps and cyber security does not have a standardized name – or even necessarily a common definition. Just the order of the three terms can be understood as prioritization – “SecDevOps means we take security first!” It can also significantly change the meaning – “SecDevOps means adding a security mindset to DevOps!”. Right now DevSecOps seems to be the most widely recognized term, so we’ll be using that in this article.
In any case, the security concerns covered by DevSecOps are clear. Security must be integrated into the development process – and into the workflow of DevOps engineers – instead of just being a separate set of activities at the end of the project. This is also articulated as “Shifting Security to the Left”.
Building Security In, DevOps style
The concept of building security into development – spanning all phases from requirements specification to post-deployment – is not particularly novel. For example, the Build Security In Maturity Model (BSIMM), among others, has been around for a while. Like other secure development processes, BSIMM can be used for DevOps and Agile just as well as Waterfall. However, the extended set of responsibilities with DevOps as well as continuous delivery changes how security measures are applied quite a bit. After all, you can’t expect an engineer to do a full manual code review, fuzz testing, and security testing of the program with each code check-in!
Instead, securing development while following the DevOps mindset means heavily relying on automation. In particular, Continuous Integration (CI) processes should integrate automated static analysis with tools such as SCS (C#) or FindSecBugs (Java). Similarly, Continuous Deployment (CD) processes should integrate automated dynamic analysis with vulnerability scanner tools such as OWASP ZAP or fuzz testing tools such as AFL.
Of course, tools aren’t perfect, and aren’t going to find all security problems. Even in DevSecOps, there is a place for manual security activities such as code review and penetration testing. These are done by security experts, security champions, or third-party security consultants.
Dealing with a million problems in everyone else’s code
The security of the environment is a particularly challenging aspect of DevOps. Any of the components or libraries used in the system may be misconfigured, contain vulnerabilities, or even be malicious – and in case of some ecosystems, there can be hundreds or even thousands of them! Composition analysis tools such as OWASP Dependency-Check (multiple languages) can detect vulnerable dependencies automatically, and they tend to integrate nicely into CI/CD pipelines.
During and after deployment, tools can be used to harden configuration, verify secure deployment and implement security monitoring – some examples are Lynis (audits UNIX-based systems), kube-bench (tests security of a Kubernetes deployment) and Zeek (network-based IDS).
How ‘Sec’ and ‘Ops’ can help ‘Dev’
DevOps concerns have also been gaining more recognition in software security circles. 3 out of the latest OWASP Top Ten focuses on web security issues that are not directly related to code (A6: Security Misconfiguration; A9: Use of components with known vulnerabilities; A10: Insufficient logging and monitoring).
In the end, though, DevOps (or DevSecOps) is not magic, and will not make your program secure by itself. Security of the code is still the most important part of the system to get right, and tools can only get so far. Ultimately developers need to learn about vulnerabilities and their prevention. However, the rapid delivery model of DevOps allows for such issues to be discovered (and thus developers to be educated) much faster. This makes the end product significantly more secure.
We consider DevSecOps to be an integral part of any modern software development lifecycle, and discuss many of the tools described in this article in our web application security courses. For instance, in Cloud application security in Python for AWS, we focus on DevOps concerns when discussing configuration and vulnerability management, especially in an AWS-specific cloud context.