A guide to keeping security at the heart of DevOps development cycles, by Josh Kirkwood, DevOps Security Lead, CyberArk
Remember the famous engineering project triangle? It calls on organisations to forgo one of the following traits in exchange for a product development cycle to have the other two attributes: speed, quality and value. This essential model has sat at the very centre of project management issues for years, supporting the rise of cost projections, delay of deadlines and most importantly, increased rigidity around quality assurance requirements. As competition has transformed technology in recent years, C-level executives have started to opt for speed at the core of their model to satisfy ever tighter deadlines and be the first to market. It of course makes sense why DevOps practises have become so prevalent in the past decade.
But in their readiness to adopt DevOps tools and methodologies in the hopes of seeing tremendous business benefits, security practices get pushed aside. Numbers don’t lie: in Deloitte’s latest study on the state of DevOps, 71% of businesses feel that their teams currently lack adequate working knowledge to incorporate security into their systems (an approach otherwise known as DevSecOps).
This gap in knowledge underlines the potential data security issues that businesses risk creating for themselves. This is especially true when considering that DevOps tends to outpace traditional security controls. The truth is that, while developers want security, when security threatens to slow down getting new applications to customers (whether internal or external), security suffers. It’s an issue CISOs across the globe face – how do you prioritize security without impacting developer velocity? The below five tips sourced from an expert panel of CISOs show how some of the world’s most accomplished technologists are working to combat bad habits and securing the DevOps cycle. Here are some of their key ideas.
Transform the security team into DevOps partners
Many DevOps practitioners do take security seriously; in fact, in the Sonatype DevSecOps Community Survey 2018 91% agree that “security is part of everyone’s job.” So, for security, the challenge can be harnessing the developers’ beliefs and energy. For example, security teams can engage more effectively by getting up to speed on DevOps tools and techniques. They can also help developers to do the right thing by offering reusable code modules, and self-service approaches that make it easier for developers to adopt good security practices.
Prioritise securing DevOps tools and infrastructure
Some important places to get started are reducing the concentration of privilege in the build automation tools and ensuring that code repositories do not expose secrets. Currently, GitHub boasts a userbase of 28 million developers. Its largely searchable code repositories are a noted security risk amongst teams. For example, Uber’s recent data breach served as an all too painful reminder of this aspect of its platform. When hackers broke into the company’s source code repository on GitHub, they were able to launch and open up infrastructure attacks on a worldwide scale. With the personal data of 7 million drivers and 50 million customers compromised, the fallout was significant not only for Uber, but also the world of data security was significant.
Establish enterprise requirements for securing secrets and credentials
Instead of struggling to consistently control and monitor secrets dispersed across multiple DevOps tools, a better approach to reducing risk and saving time is to implement a centralised secrets management system. The centralised secrets management platform can then be used to ensuring that users, whether human or machine, don’t see the actual credentials.
Adapt processes for application testing
With DevOps teams making multiple releases per day, security needs to implement new, automated approaches so as not to slow the process down. For example, security can develop automated, updated processes, such as a “break the build” approach.
Evaluate the results
In most cases, improving the security of DevOps environments happens through many incremental advances. Teams should highlight each success and then build and expand from them. For example, organisations can use metrics to show how much of the attack surface has been addressed and how effective controls are.
Newer and continuous approaches to testing are ultimately necessary to ensure that security is embedded in DevOps strategies. Development teams need to be trained in order to improve their security awareness and to determine how they can best work with security teams. At the same time, security personnel will benefit from learning how their role fits within the wider DevOps ecosystem. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.