Josh Kirkwood, DevOps Security Lead at the IT security product company CyberArk offers a guide to keeping security at the heart of DevOps development cycles.
In the famous engineering project triangle, organisations have to sacrifice one of the following to satisfy the other two needs: speed, quality and value. This classic model has sat at the core of project management issues for years, reinforcing rising cost projections, revised deadlines and most importantly, the tightening-up of quality assurance requirements. As competition has effectively overhauled the technology industry over the past decade and a half, boards have come to prefer choosing speed to satisfy ever tighter deadlines and beat their rivals to market. Naturally, it makes sense why DevOps practiCes have become so prevalent in the past decade.
But in their readiness to adopt DevOps tools and methodologies in the hopes of seeing tremendous business benefits, security practices get pushed aside. Numbers don’t lie: in Deloitte’s latest study on the state of DevOps, 71 per cent of businesses feel that their teams currently lack adequate working knowledge to incorporate security into their systems (an approach otherwise known as DevSecOps).
This gap in knowledge underlines the potential data security issues that businesses risk creating for themselves. This is especially true when considering that DevOps tends to outpace traditional security controls. The truth is that, while developers want security, when security threatens to slow down getting new applications to customers (whether internal or external), security suffers. It’s an issue CISOs across the globe face – how do you prioritise security without impacting developer velocity? The below five tips sourced from an expert panel of CISOs show how some of the world’s most accomplished technologists are working to combat bad habits and securing the DevOps cycle. Here are some of their key ideas.
Transform the security team into DevOps partners
Many DevOps practitioners do take security seriously; in fact, in the Sonatype DevSecOps Community Survey 2018 91% agree that “security is part of everyone’s job.” So, for security, the challenge can be harnessing the developers’ beliefs and energy. For example, security teams can engage more effectively by getting up to speed on DevOps tools and techniques. They can also help developers to do the right thing by offering reusable code modules, and self-service approaches that make it easier for developers to adopt good security practices.
Prioritise securing DevOps tools and infrastructure
Some important places to get started are reducing the concentration of privilege in the build automation tools and ensuring that code repositories do not expose secrets. Currently, GitHub boasts a userbase of 28 million developers. Its largely searchable code repositories are a noted security risk amongst teams. For example, Uber’s recent data breach served as an all too painful reminder of this aspect of its platform. When hackers broke into the company’s source code repository on GitHub, they were able to launch and open up infrastructure attacks on a worldwide scale. With the personal data of 7 million drivers and 50 million customers compromised, the fallout was significant not only for Uber, but also the world of data security was significant.
Establish enterprise requirements for securing secrets and credentials
Instead of struggling to consistently control and monitor secrets dispersed across multiple DevOps tools, a better approach to reducing risk and saving time is to implement a centralised secrets management system. The centralised secrets management platform can then be used to ensuring that users, whether human or machine, don’t see the actual credentials.
Adapt processes for application testing
With DevOps teams making multiple releases per day, security needs to implement new, automated approaches so as not to slow the process down. For example, security can develop automated, updated processes, such as a “break the build” approach.
Evaluate
In most cases, improving the security of DevOps environments happens through many incremental advances. Teams should highlight each success and then build and expand from them. For example, organisations can use metrics to show how much of the attack surface has been addressed and how effective controls are. Newer and continuous approaches to testing are ultimately necessary to ensure that security is embedded in DevOps strategies. Development teams need to be trained to improve their security awareness and to determine how they can best work with security teams. At the same time, security personnel will benefit from learning how their role fits within the wider DevOps ecosystem. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.
