Security is often something tacked onto the end of application development, and sometimes only considered after applications have been deployed. The rising number and cost of cyber-security incidents has many organizations starting to rethink how they can build more secure apps with less overhead and anxiety. At the DevOps Enterprise Summit, several DevOps security experts weighed in on how organizations can leverage DevSecOps to address security as a forethought.
Best practices from DevOps Security experts
Some of the key takeaways:
Traditional models of securing infrastructure and networks have less importance as enterprises move to the cloud.
DevSecOps and DevOps security is about navigating the tradeoffs between risk management and costs.
DevOps security is a moving target as new vulnerabilities are discovered in existing software and enterprises need to think about mean time to recovery from these discoveries.
- Many organizations are embracing the notion of DevSecOps in which DevOps security teams work with developers early in app development.
Organizations needs to inventory their use of open source libraries, so they can pinpoint and update these quickly.
A DevOps security strategy should adopt automated testing across the app dev cycle so developers can fix problems when they are easiest.
But automated testing cannot find all bugs and should be complemented by manual creative testing.
Robert Stroud, a senior analyst at Forrester said many enterprises have transformed the way security sits in software development. A good model is the banking industry around risk. They often work with risk mitigation matrixes. The Same ideas can be applied to security as well. He noted that companies with a good DevSecOps practices were able to deal with the Apache Struts vulnerability in 2-hours, while others spent months trying to inventory their systems, create patches and deploy updates.
Forrester's Stroud said that one larger organization dissolved a separate security team of 400 experts and moved them into product teams. He said, "Security has to come in and be part of the product team for skills transfer and be proactive."
Protect the right assets
An important part of this is to think through how much the company is spending to mitigate specific risks. The loss of millions of customer records could have significant direct losses and remediation costs. But a breach in which an attacker accesses a system but is prevented from accessing data has less impact. It may even give security teams an opportunity to study the way a hacker is working. Caroline Wong, VP of security strategy a Cobalt, a manual penetration service, said, "A security person might believe you need to spend $200 to protect at $5 asset. But the reason security exists is to support the business."
Ten years ago, security was focused on protecting corporate networks. There was an analogy of security being like M&M candies that are hard on the outside and soft and melty on the inside. Wong said, "But organizations are not isolated anymore. Security is no longer about the network, but should focus on the products, apps, and APIs."
Security testing should be baked into the app development cycle, said Wong. Static analysis testing is easy enough to do at every code check-in. Dynamic code analysis is more complex and comprehensive, and can be done as part of integration testing. But its important to keep in mind that automated machine testing will only find some vulnerabilities. Wong said, "The people attacking your products are people, not machines. Automated testing makes it easier to find the simple attacks. But the more effective attacks are those done by people not machines."
One of the key components of DevSecOps lies in cultivating better communication between developers and security teams, which requires someone to take the first step. John Willis, VP of DevOps and digital practices at SJ Technologies said, "Security has a culture of isolation." A good practice is for developers to take the initiative to reach out and connect with security teams and consider how they can help solve their problems. Willis said a few years ago, he thought of a way the security team at his company could leverage Jenkins to make it easier to remediate security vulnerabilities. This began a long ongoing discussion that made everyone's lives easier.
It's also important for developers to consider that poor communications around security means heightened anxiety and overwork when new vulnerabilities are detected. As Alan Shimel, editor-in-chief of DevOps.com said, "A part of DevSecOps is to get rid of unplanned work." Better communications and coordination around security across the company means fewer lost evenings and weekends dealing with emergencies.
Practice makes perfect
One good practice for building this kind of awareness and communication lies in adopting tools to visualize and communicate about the security of systems. Paula Thrasher, director of digital services at CSRA, said they have created a Slack channel for sharing information across developers and operations teams when new security incidents are detected. She pointed out that it's not necessarily a bad thing to lock hackers out once they are detected. By studying how a hacker penetrates your system, developers can glean insights into building more robust systems that can be secured with less effort.
Another good practice is to give everyone in the organization to practice responding to security incidents. Thrasher said they regularly run security hackathons in which participants practice taking down and defending against server take downs. While learning about the specific security vulnerabilities is important, these kinds of events help everyone in the organization develop better skills for working together to deal with new threats.
How to protect against container and microservices security vulnerabilities
Here are some common security issues DevOps security professionals need to avoid
Combining DevOps with cloud-native development? Here's a cloud-native handbook to help light your path