Is Your DevOps Secure?

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

<p>DevOps has become a competitive advantage for many organizations. However, many of these processes are not secure and raise serious challenges for cybersecurity professionals. Here’s how Tenable can help.</p>

<p>DevOps gives business leaders a lot to be excited about. After all, this new approach to software development drastically improves time to market for new services, making it possible to outpace competitors. Organizations have realized other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps.</p>

<p>It’s no surprise, then, that DevOps has <a href=”https://go.forrester.com/blogs/2018-the-year-of-enterprise-devops/”>finally reached mainstream status</a>, with one research report indicating that <a href=”https://www.ca.com/us/modern-software-factory/content/how-agile-and-devo… of organizations</a> have implemented or plan to implement DevOps. DevOps is an important differentiator as <a href=”https://hbr.org/2016/04/you-dont-have-to-be-a-software-company-to-think-… companies eventually become software companies</a>. </p>

<p>On the flip slide, DevOps gives security leaders a lot to be worried about. According to the latest <i><a href=”https://puppet.com/resources/whitepaper/state-of-devops-report”>State of DevOps Report from Puppet and DORA</a></i>, high IT performers with mature DevOps processes deploy code 46 times more frequently than low IT performers. In raw numbers, that’s more than 1,400 deployments per year for the high IT performers, compared to only 30 for the low performers. </p>

<p>Unfortunately, security teams are largely disconnected from this continuous software delivery process, relying instead on downstream gates designed for the era of waterfall development. <a href=”https://sdtimes.com/agile/hpe-security-fortify-report-finds-application-… 20% of organizations</a> incorporate any security testing during development, with another 17% stating they are not using any technologies at all to protect their applications. </p>

<p>To make matters even more difficult, security teams are often <a href=”https://dzone.com/articles/10-tips-for-integrating-security-into-devops”… by developers</a> in the organization by 100:1. How can security teams possibly keep up with DevOps velocity while being constrained by limited resources? </p>

<p>Hackers are already taking advantage of poor DevOps cyber hygiene with cryptomining malware attacks using <a href=”https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-… Hub backdoors</a>, <a href=”https://www.bleepingcomputer.com/news/security/tesla-internal-servers-in… open Kubernetes accounts</a>, and <a href=”https://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/”>unpatched Drupal web applications</a>. While attacks today are harnessing vast amounts of computational power to generate cryptocurrency revenue, it doesn’t take much imagination to envision future attacks targeting sensitive enterprise or customer data. </p>

<p>Security professionals need to rethink traditional vulnerability management and embrace new security methodologies to secure DevOps processes. We at Tenable believe a new security discipline, called <a href=”https://www.tenable.com/cyber-exposure/critical-risk-metric”>Cyber Exposure</a>, is required to cover the breadth of the modern attack surface (e.g., cloud services, mobile devices, IoT/OT assets) and provide a new depth of insight into vulnerability data for more accurate visibility and decision-making. Cyber Exposure will help security leaders incorporate new secure DevOps principles to better manage and measure cyber risk by providing:</p>

<ul><li><b>Continuous discovery and scanning</b>. Monthly or quarterly scans do not cut it in the DevOps world. Continuous software delivery means the environment is constantly changing, requiring continuous discovery and assessment of cyber risk. This should occur across the software development lifecycle—from development through operations—to provide full visibility. </li>
<li><b>Security integration into DevOps processes</b>. Security tests and controls need to be an integral part of the software development lifecycle and embedded into the development pipeline. Vulnerabilities, malware, and misconfigurations should be treated as any other type of software defect that diminishes code quality and should be remediated as early as possible in the development lifecycle.</li>
<li><b>Automation of security workflows</b>. To support the scale and speed of DevOps, security controls must be exposed programmatically with APIs into DevOps systems to take advantage of automation throughout the software development lifecycle. For example, instead of security teams manually assessing images during predefined security gates, security testing can be triggered automatically to assess all new builds as they are created.</li></ul></p>

<p>Tenable offers a variety of solutions to help you on your secure DevOps journey. <a href=”https://www.tenable.com/solutions/cloud-security”>Cloud connectors in Tenable.io</a> continuously track asset changes to ensure all cloud workloads are known and assessed for vulnerabilities. <a href=”https://www.tenable.com/products/tenable-io/container-security”>Tenable.io Container Security</a> plugs into continuous integration and continuous delivery (CI/CD) systems to remediate vulnerabilities and malware during development. <a href=”https://www.tenable.com/blog/intro-to-the-tenable-io-api”>Well-documented APIs in Tenable.io</a> allow you to automate security scans and integrate controls in your workflows. And earlier this month, <a href=”https://www.tenable.com/press-releases/key-enhancements-to-tenable-cloud… announced</a> several new Tenable.io platform enhancements to support heterogeneous cloud platforms and enable security to be built into the entire software development lifecycle from build to production. </p>

<p>In fact, here’s how one Tenable customer is taking advantage of many of these secure DevOps capabilities today:</p>

<blockquote>“The Tenable.io AWS connector is the key to automating our DevSecOps pipeline. It allows us to gain real-time visibility into our cloud environment to track assets as they are spun up and down so that our other tools can be integrated into the pipeline in an automated fashion.” — Mick Kohler, Senior Manager, Cyber Security, Enterprise Security, Sysco</blockquote></i>

<p>Want to learn more about securing DevOps? The following resources will help you on your journey:</p>
<ul>
<li>Watch our on-demand webinar, <a href=”https://www.tenable.com/webinars/panel-discussion-securing-devops-advice… DevOps, Advice from the Frontlines</a>, featuring three industry experts who have crossed the security-DevOps divide.</li>
<li>Visit our <a href=”https://www.tenable.com/solutions/application-security”>Application Security & DevOps solutions page</a>.</li>
<li>Read our article, <i><a href=”https://www.tenable.com/whitepapers/information-security-in-the-devops-a… Security in the DevOps Age: Aligning Conflicting Imperatives</a></i>.</li>
<li>Try <a href=”https://www.tenable.com/try-io”>Tenable.io for free</a> for 60 days.</li></ul>

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1570 Followers
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel