Most people think of hacking and incident response as the only key elements of cybersecurity, so development and infrastructure operations are not seen as valuable and essential. These DevOps approaches are usually among the more underrated aspects of cybersecurity, so learning key considerations for a proper DevSecOps implementation is critical. Hence, we must inject security throughout the implementation of DevOps processes by implementing control tools and developing secure code to well-known threats such as SQL injections or cross-site scripting, which are just basic reflection attacks. Still, developers also have to build with a blue team mindset. Therefore, we need to educate them in these security matters. Only after this mindset change, are they going to start thinking about corrective security issues and implementing checks such as boundary check, for-loop or inputs sanitizing, and inputs validations, among others.
What is DevSecOps?
DevSecOps could be considered a relatively new concept, and it does have some overlap with what's known as GitOps. But in a nutshell, DevSecOps is building security across the DevOps process.
A DevSecOps-related role is meant to have the experience and capability to deal with most facets of development, security & operations. In essence, this role is truly a Swiss army knife of all trades. You could position this person on the security side, and they would be able to identify & address security holes from design to the actual implementation. They could address cybersecurity, or could be positioned in the developer field, and they could write code. Finally, this role can also handle all operations duties. DevSecOps trained resources can deploy code and ensure those releases align with their organizations' best security practices and compliance. To do that, first, we have to dive deep into the following critical considerations for a proper DevSecOps implementation:
- Prepare the team for risks associated with DevSecOps.
As a DevSecOps engineer, security has to be a part of every process, workflow and automation. Security & compliance introduce additional complexity to what once was a pure and traditional DevOps practice in the cloud. Thus, we must be aware of and be prepared to solve the following issues:
→ Vulnerable/ outdated 3-party libraries
→ Licensing issues
→ Sensitive data leakage
→ Vulnerable docker images
→ K8 misconfigurations
So, you could have a super optimized DevOps process, but right before the release, the security checks and audits block the whole process, delaying the release for weeks. To understand why security checks could be a bottleneck in the process, we need to think about how applications have evolved over the past few years.
- Microservices instead of an extensive monolith application, thus a larger attack surface.
- Containers and Cloud platform, exposing a larger attack surface.
- Kubernetes, again, leading to a larger attack surface.
To solve this problem, we must shift security to the left. So, instead of framing DevOps and security checks as two wholly separated processes, we have to be able to integrate these checks into the current pipeline from initiation of the building process to the release and monitoring process.
- Understand the primary obligation of the DevSecOps role and best practices
DevSecOps is not only about making sure that the code is sound, but is also about making sure that the infrastructure and design are sturdy. Nowadays, a lot of the infrastructure as Code exists in playbooks, and engineers may just use default templates with keys scattered everywhere. There are many tools available that allow check and scan for default configurations, default tooling, and left behind SSH keys, Git Keys and signing keys, and other confidential information, in general.
- Build out exemplary DevSecOps architecture to streamline security practices across the pipelines
When we think about what technologies and skills are essential for DevSecOps, the challenge is not only choosing the right tools but choosing the right people with the proper set of skills. Skills could be related to CI/CD, and tools such as Jenkins, Travis CI, Circle CI, Github Actions, Gitlab, and Azure DevOps are core tooling skills, that cannot be ignored.
From a language perspective, Bash is still king in the operating system world. So, it really comes down to understanding your CMDB offerings, and your configuration management tooling. In this field, Ansible, Salt, Puppet, Chef, Packer, and Python are critical. Python can be seen as your universal glue to put all these tools together and build scalable and reliable solutions that fit your needs.
In an extreme and unlikely case that a company isn’t able to find the right solution, there is always the ”building an ad-hoc solution from scratch” answer. And for this, the language that should be picked must be cloud-native, fast, and robust. Languages such as Go, Rust, or C++ are preferred.
When reviewing the core skills for a DevSecOps expert, the following are the most valuable security tools to check & scan the health of software applications: Sonar Cloud, Checkmark, Fortify, Snyk. In addition, for monitoring, Splunk and New Relic always have good insights from a security perspective.
Finally, cloud services can be the keystone for a promising DevSecOps pipeline as well. Managing the security of cloud services & components is mandatory. This could be complex depending on the architecture itself. Still, the core cloud resources like WAV, firewalls, Network Security Groups, DDOs prevention must be implemented not only in the technical solution, but also in governance.
About Encora
At Encora, we know how to implement DevSecOps end to end. Every client has a cloud provider that suits a particular scenario and particular needs. As a company, one of our goals and challenges is to interpret the business goals and then design a system that is going to address that challenge.
When utilizing a cloud environment, keeping security in mind is important, and at Encora, we have expertise in it...
We ensure that irrespective of the cloud provider a client uses, we consistently implement logging & telemetry capabilities to track issues down to the millisecond. We measure everything to allow clients get a complete picture, and protect what needs to be protected, while exposing what needs to be exposed to the outside world.