From the CEO’s Desk: DevSecOps- Next Stride for DevOps
The global IT market is expanding at warp speed and IT spending is now touching a figure of $4 Trillion. In the current scenario, data is the biggest commodity. Data is more valuable and powerful than ever. And like uncle Ben Parker said, “With great power comes great responsibility.” Security has always been a big concern for valuable things and IT is no exception. IT as a whole is trying to bring the security factor more leftwards in a development cycle. Rather, they are trying to involve it in every step of the development cycle. And just when development and operations teams are trying their hands on “esprit de corps” which we call DevOps, I think it’s time we add the third musketeer, i.e. security.
What is SecOps?
SecOps is a collaboration between your security and operations teams, just like your development and operations teams collaborate on DevOps front. SecOps is a set of practices which you as an organization needs to follow, processes that you need to execute, tools that you need to use to ensure the security of your application environment. SecOps is making sure you do not sacrifice security in order to attain the set performance and uptime indexes.
In a typical development cycle, which comprises of various stages like requirements gathering, design, development, testing, implementation or deployment and maintenance, we normally start thinking on the security aspects in the later stages, i.e. somewhere in between testing and deployment or may be after that. But SecOps is all about making sure to introduce aspects around security much earlier or may be at each stage of SDLC. I know what you are thinking. This is going to complicate things and increase the time to delivery, this is where Operations and development teams need to join forces to uncomplicate the things and make it time efficient practice. Next thing you must be thinking of is why so much hassle? Think of it the other way. Wouldn’t it save more time when you address the security concerns at much earlier stages than at the time of delivery or implementation? All it takes is an amalgamation of cross functional teams like security group, development team, operations team, a little bit of planning and a whole lot of execution.
SecOps + Containers
Containerization is slowly but steadily moving from an alternative to full virtualization to a serious platform for running your applications. Containers have some obvious advantages like scalability and flexibility and this solves most of the problems related to resources in case of application development. Reduced size, reduced time taken for provisioning application environment and testing and in addition platforms like Docker, Solaris Zones, BSD Jails and orchestration platforms like Kubernetes, CoreOS Fleet, Amazon ECS, OpenShift make containers a more preferred option for application development environments.
This increased traction towards containerization points to the increased need to concentrate on security aspects. Here are some best SecOps practices for container environment that you and your organizational teams can follow:
- Authentic sources and images: Always check for authenticity of container images. There are various tools like Docker’s security scan. With Docker Cloud and Docker Hub you can scan images to check for potential security vulnerabilities. Most images are built from some base image and not built from scratch so there is always a threat with the used images.
- Vulnerability management tool: There are tools available in the market using which you can analyze container image formats and libraries for threats before you actually start using them.
- Follow benchmarks and hardening guidelines: Always make sure you do the checks and follow hardening guidelines for containers, images, hosts, and platforms before you start with production. There are few standards and benchmark checks for containers like CIS’s Docker security benchmark, PCI compliance checklist, etc.
- Periodic auditing: Regular auditing of your application environment can help you save yourself from the future troubles. Moreover, automation of auditing process can help in detection of unused images and containers.
- Use of management frameworks: Use frameworks which can automate behaviour profiling, and control all the users, authorize the access to the containers, images, and hosts.
- Security built in to container engine systems and third-party security solutions: Third-party vendors have a number of applications for container security in addition to security systems of container management platforms.
Dev + Sec + Ops
With the continuously increasing business demands for new applications and software, and new practices and development trends like DevOps, Agile, Cloud, Automation, CI/CD, etc., traditional security needs to bolster itself in the new paradigm. Thankfully some of the practices mentioned above themselves facilitate the security. Consider CI/CD as an example. Continuous integration requires continuous integration tools or what we call as build servers. Some popular examples are Jenkins, TeamCity, GitLab CI, Travis CI, Bamboo, Go CD, CircleCI, and Codeship. The best SecOps practice is to check and fix vulnerabilities at early stages as a part of CI/CD workflow. Integration between authentication, scanning, management tools and CI/CD pipeline tools could be the best possible solution to your security related problems. Some easy to implement solutions can include automated security testing, static code analysis, authentication checks, login tracking, etc.
SecOps enable organizations in lifecycle management, analysis of security threats, incident management, optimizing and measuring the effectiveness of security controls, reduced breach response time, reduced security risks, in addition to increased business security. Basic principle on which SecOps works is avoid, analyze, respond, review, repeat. By analyzing the security events and data you can build incident response plans to avoid future unwanted events.
Frameworks and Tools
Now that you have a clear understanding of why you need your security, development, and operations teams to work together, let’s see what tools and frameworks you can use.
- Docker native tools: If you are using Docker as a platform then you can use few security tools provided by Docker itself for the security of production environment which are Docker Bench and Docker Notary. Docker Bench is nothing but a script which checks common best-practices around deploying Docker containers in production. Docker Notary enables you to check if the content is from a trusted publisher.
- Chef: Chef provides different tools like Inspec to automate security testing.
- Puppet: Puppet provides security compliance and policy defining frameworks.
- Ansible: Ansible provides system tracking, setting up firewall rules, user locking down, compliance automation solutions.
- CoreOS Clair: CoreOS Clair is an opensource project for vulnerability analysis in applications and Docker containers.
- SaltStack: SaltStack can help in orchestration and automation of security practices solutions for containers.
This is just a look at some of the most popular ones. If you want, there are a number of others that can look after the security of your application environment.
The main motive behind implying SecOps practices in any organization is involving security team at all possible stages to remove any ambiguity in any stage of development rather than security team providing analysis reports to the operations team and then sit back and enjoy the show. When these teams perform in a synergic manner the business focus can be shifted to other important things.
Of course, there are challenges involved but with predefined strategies, these hurdles can be easily overcome. Contact Opcito to get a clear roadmap of how you can get more from your development, security, and operations teams to make your DevOps a DevSecOps.