The DevOps methodology empowers development and operations teams to collaborate rather than conflict with each other. Some of the benefits realized from a DevOps approach include more frequent software releases, shorter time to market, and fewer application failures in production.Despite these benefits, the focus on rapid development and compressed development cycles in DevOps acts as a barrier to ensuring watertight application security. The Software Engineering Institute
estimates that 90 percent of reported security incidents result from exploits against defects in software design or code.It’s clear that software integrity is imperative and security cannot be left as an afterthought. A security-oriented approach is needed in DevOps teams that retains the essence of their methodology while including security from the outset.This article provides an overview of some important DevOps security challenges and offers several best practices for producing a secure app in DevOps teams.
DevOps Security Challenges
The goal of an application security team is to implement rigorous testing and policies that help to protect applications from security vulnerabilities. The problem with this is that security frequently has the effect of slowing down software development and lengthening release cycles, which contradicts the whole DevOps philosophy.A second challenge, directly emerging from the conflict between what security teams want to achieve and what DevOps teams want to achieve, is that security often remains an afterthought. A siloed security team cannot have enough influence on the integrity of the final code released into production.There is also a problem with a lack of security knowledge in DevOps teams. Developers tend to prioritize application functionality above all else, and they may not be confident in their security skills at all. An industry survey reported that 60 percent of developers aren’t confident in the security of their applications.
Best Practices for Secure DevOps
There are clear challenges in developing highly secure applications using DevOps methodologies. However, there are also several opportunities to seamlessly integrate security into DevOps teams. Here are some best practices for achieving harmony between application security DevOps.
1. Shift Security to the Left
Shifting security to the left means prioritizing it from the outset as a part of the application’s design rather than leaving it as an afterthought. Traditionally, security guidelines are established in the form of policies and guidelines, but they are only checked at the end of the development pipeline.The “shift left” approach advocates ingraining security requirements as part of the application's design, which means infosec teams can ensure security requirements are met earlier in the development pipeline. Overcoming DevOps security challenges
requires strong teamwork and sharing of security knowledge in achieving a shift-left approach to security.
2. Automate Security Tests
Automation is one of the cornerstones of the DevOps philosophy in terms of speeding up software development. If security and DevOps are to truly work together, then security testing also needs to be sped up through more automation.Embed as many automated tests as possible seamlessly into continuous development and continuous integration workflows, making sure to introduce automated security tests as early as possible by shifting left. However, automation needs to be done thoughtfully and efficiently too—static code tests, for example, should only be run on changes made to the code, not the entire codebase.
3. Secure the Software Supply Chain
The use of open source code is increasing all the time in commercial applications, which is no surprise in a DevOps world where speed and efficiency are what matter. Developers frequently use libraries, frameworks, and code from the millions of open source projects that provide convenient access to ready-made functionality.However, the infiltration of open source into the software supply chain creates headaches for security teams. As recently as September 2018, it was reported that open source supply chain vulnerabilities
had doubled over the last 12 months.Security teams need to create policies and guidelines that help protect against open source vulnerabilities in DevOps software supply chains. Encourage the use of build automation tools as a way to get visibility into all software dependencies. Container technology can help isolate vulnerabilities and minimize potential damage from them.It is also prudent to advise developers that they should only use open source components that they fully trust. This means applying the latest security patches promptly to existing components and regularly checking vulnerability databases for disclosed vulnerabilities before using new open source components.
4. Track Security Processes
To truly achieve the type of security-first mindset required, it is a good idea to ensure infosec tasks and goals are tracked in the same task planning and management tools as development and operations both use. This tracking ensures that security gets the visibility it needs throughout DevOps development cycles.
5. Achieve Tool Integration
The only way for security checks to work seamlessly in Continuous Integration/Deployment (CI/CD) pipelines is for security tools to be integrated with DevOps software such as Jenkins and Ansible. API endpoints can provide the means for achieving this integration, and these popular DevOps tools should be integrated with security frameworks like Selenium if APIs are available.
Achieving the right balance between application security and functionality is one of the greatest challenges facing DevOps. By shifting security to the left in development pipelines, automating early and often, securing the software supply chain, and integrating security tools with DevOps tools, organizations can achieve fast software releases, frequent updates, and secure code.