DevSecOps- Next Stride for DevOps
The global IT market is expanding at warp speed, and IT spending is now touching a figure of $4 Trillion. In the current scenario, data is the biggest commodity. Data is more valuable and powerful than ever. And like Uncle Ben Parker said, “With great power comes great responsibility.” Security has always been a big concern for valuable things, and IT is no exception. IT is trying to bring the security factor more leftwards in a development cycle. Rather, they are trying to involve it in every step of the development cycle. And just when development and operations teams are trying their hands on “esprit de corps,” which we call DevOps, I think it’s time we add the third musketeer, i.e., security.
What is SecOps?
SecOps is a collaboration between your security and operations teams, just like your development and operations teams collaborate on the DevOps front. SecOps is a set of practices that you as an organization must follow, processes that you need to execute, and tools that you need to use to ensure the security of your application environment. SecOps is ensuring you do not sacrifice security to attain the set performance and uptime indexes.
In a typical development cycle, which comprises various stages like requirements gathering, design, development, testing, implementation or deployment, and maintenance, we normally start thinking about the security aspects in the later stages, i.e., somewhere between testing and deployment or maybe after that. But SecOps is all about introducing aspects around security much earlier or maybe at each stage of SDLC. I know what you are thinking. This will complicate things and increase the time to delivery; this is where Operations and development teams need to join forces to uncomplicate things and make it time-efficient practice. The next thing you must be thinking of is why so much hassle. Think of it the other way. Wouldn’t it save more time when you address the security concerns at much earlier stages than at the time of delivery or implementation? All it takes is an amalgamation of cross-functional teams like a security group, development team, and operations team, a little bit of planning, and a whole lot of execution.
SecOps + Containers
Containerization is slowly but steadily moving from an alternative to full virtualization to a serious platform for running your applications. Containers have some obvious advantages like scalability and flexibility, and this solves most of the problems related to resources in the case of application development. Reduced size, reduced time taken for provisioning application environment and testing, and in addition, platforms like Docker, Solaris Zones, BSD Jails, and orchestration platforms like Kubernetes, CoreOS Fleet, Amazon ECS, OpenShift make containers a more preferred option for application development environments.
This increased traction towards containerization indicates the need to concentrate on security aspects. Here are some best SecOps practices for container environments that you and your organizational teams can follow:
- Authentic sources and images: Always check for the authenticity of container images. There are various tools like Docker’s security scan. You can scan images with Docker Cloud and Docker Hub to check for potential security vulnerabilities. Most images are built from some base image and not built from scratch, so there is always a threat with the used images.
- Vulnerability management tool: There are tools available in the market to analyze container image formats and libraries for threats before you actually start using them.
- Follow benchmarks and hardening guidelines: Always make sure you do the checks and follow hardening guidelines for containers, images, hosts, and platforms before you start with production. There are a few standards and benchmark checks for containers, like CIS’s Docker security benchmark, PCI compliance checklist, etc.
- Periodic auditing: Regular auditing of your application environment can help save you from future troubles. Moreover, automation of the auditing process can help detect unused images and containers.
- Use of management frameworks: Use frameworks that can automate behavior profiling, control all the users, and authorize access to the containers, images, and hosts.
- Security built into container engine systems and third-party security solutions: Third-party vendors have a number of applications for container security in addition to the security systems of container management platforms.
Dev + Sec + Ops
With the continuously increasing business demands for new applications and software and new practices and development trends like DevOps, Agile, Cloud, Automation, CI/CD, etc., traditional security needs to bolster itself in the new paradigm. Thankfully some of the practices mentioned above themselves facilitate security. Consider CI/CD as an example. Continuous integration requires continuous integration tools or what we call build servers. Some popular examples are Jenkins, TeamCity, GitLab CI, Travis CI, Bamboo, Go CD, CircleCI, and Codeship. The best SecOps practice is to check and fix vulnerabilities early as part of the CI/CD workflow. Integrating authentication, scanning, management tools, and CI/CD pipeline tools could be the best solution to your security-related problems. Some easy-to-implement solutions can include automated security testing, static code analysis, authentication checks, login tracking, etc.
SecOps enable organizations in lifecycle management, analysis of security threats, incident management, optimizing and measuring the effectiveness of security controls, reduced breach response time, reduced security risks, and increased business security. The basic principle on which SecOps works is to avoid, analyze, respond, review, and repeat. By analyzing the security events and data, you can build incident response plans to avoid future unwanted events.
Frameworks and Tools
Now that you clearly understand why you need your security, development, and operations teams to work together, let’s see what tools and frameworks you can use.
- Docker native tools: If you are using Docker as a platform, then you can use a few security tools provided by Docker itself for the security of the production environment, which are Docker Bench and Docker Notary. Docker Bench is a script that checks common best practices around deploying Docker containers in production. Docker Notary lets you check if the content is from a trusted publisher.
- Chef: Chef provides different tools like Inspec to automate security testing.
- Puppet: Puppet provides security compliance and policy-defining frameworks.
- Ansible: Ansible provides system tracking, setting up firewall rules, user locking down, and compliance automation solutions.
- CoreOS Clair: CoreOS Clair is an open-source project for vulnerability analysis in applications and Docker containers.
- SaltStack: SaltStack can help orchestrate and automate security practices solutions for containers.
This is just a look at some of the most popular ones. If you want, there are a number of others that can look after the security of your application environment.
The main motive behind implying SecOps practices in any organization involves the security team at all possible stages to remove any ambiguity in any stage of development rather than the security team providing analysis reports to the operations team and then sitting back and enjoying the show. When these teams perform in a synergic manner, the business focus can be shifted to other important things.
Of course, challenges are involved, but with predefined strategies, these hurdles can be easily overcome. Contact Opcito for a clear roadmap of how you can get more from your development, security, and operations teams to make your DevOps a DevSecOps.