Go beyond software flaws: How to secure your entire stack
When Auth0 started building its authentication and single-sign-on (SSO) service, the authentication-in-the-cloud startup adopted an agile style of development.
Smaller teams at startups naturally fall into the fast development and deployment methodology, because teams are interdisciplinary and need to create products and services quickly, said Eugene Kogan, director of security for the cloud authentication company. As Auth0 grew, maintaining an efficient development system and securing software delivery became more difficult. "As you scale, keeping that capability in place is challenging," Kogan said. "Our product space expands over time, and if you don't have good automation and security testing in place, you are going to fail."
Currently, 78% of all companies are planning to adopt, in the process of adopting, or already have adopted DevOps, up from 74% in 2016, according to the RightScale's 2017 State of the Cloud report. While finding vulnerabilities and educating developers are key parts of securing the agile development lifecycle, companies also have to focus on the infrastructure underpinning developers' and IT teams' efforts by making operations consistent and reproducible. That makes automation key.
Finding the right ways to deploy cloud-based infrastructure, automating all the processes required to develop and deploy software, and managing the application of policies are all important. Securing that entire stack goes beyond just locking down the software and improving configuration management.
Getting such features backed in as soon as possible is important, because otherwise the lack of features or need to refactor the infrastructure becomes technical debt—effort that has to be paid off by developers in the future, Auth0's Kogan said. "Making good design decisions up front is really important, because making changes two years down the road is going to be really difficult," he said.
Unfortunately, agile development teams focus on producing code and working products, often viewing security as something that gets in the way. The general rule of thumb is that for every 100 developers, there is a single security-focused team member, Ashish Kuthiala, a senior director with HPE's Application Business Unit. "The speed makes it very hard to keep up with security," he said.
Here are three key areas to focus on when aiming to secure your full stack.
Focus on ops
When companies start building a service and considering security, they need to focus not just on the problems of development, but how to design a repeatable and testable deployment environment. While many companies focus on the development part of DevOps and other agile development methodologies, more attention needs to be paid to the operations side. Using automated deployment models and dynamic testing, companies can ensure that their deployed application matches their latest version in development, including any changes to configuration and assets.
"Part of the trick is that you cannot secure things that you don't know you have, so getting a really accurate inventory of what you have in your environment is really important," said Auth0's Kogan.
In addition, being able to automate the staging of deployments can increase reliability by allowing partial rollouts and automated rollbacks, if there is a problem. With software-defined networking and the deployment of containers, more capabilities can be managed by the DevOps teams, increasing security.
Companies that rely on cloud services for their infrastructure need to ensure that their service provider presents enough data to allow for proper monitoring and control of the security of that piece of the infrastructure and deployment. If the service does not provide the needed security and auditing functionality, companies should look for third-party cloud access security brokers (CASBs), which add a management layer to a company's cloud service portfolio.
The network is part of the app
Network misconfigurations are a major source of reliability and security issues. In a report summarizing the findings of 124 penetration tests, security firm Rapid7 found that more than two-thirds of sites were vulnerable because of a misconfiguration.
For that reason, agile development teams should focus on continual testing and operations of the network as an integral part of the development lifecycle. And, with software-defined networks increasingly common, developers can treat the network and configuration of the operating environment as one more piece of software to program and maintain, said Nati Shalom, founder and CTO at GigaSpaces, a compute-in-memory cloud platform. The company has extensively used DevOps in the creation and maintenance of the service, he said.
"The network configuration needs to be a part of the application deployment lifecycle," Shalom said. "Those people who are managing the network have to be the same DevOps guys who are creating the application."
While many companies have combined configuration and orchestration in their network management to automate their deployment of changes, very few have connected the dots between automating the network and deploying applications, he said.
"We are moving from a siloed approach—where application security is managed separately, the network is managed separately, the data center is managed separately, and application development is managed separately—because DevOps has a holistic view of the company," Shalom said. "We want to have a complete pipeline of deployment."
Incorporate exercises and feedback loops
Finally, just as developers can learn from vulnerabilities identified in their code, security specialists focused on operations can learn from penetration tests, actual incidents, and response exercises. Any lessons learned during an incident should be immediately integrated back into the DevOps process, HPE's Kuthiala said.
"You need to bring the learning from any incident into the organization," he said. "And just as important, you need to bring the learning of what did not work back into the organization."
These feedback loops are important when training developers to both consider security in their programming and designs. When an incident happens—whether it is service disruption, a failed penetration test, or an actual breach—the lesson needs to be reinforced quickly in order to best stick, Kuthiala said.
Evaluating and modeling potential threats, while more common of the waterfall method of development, helps educate developers and inform design decisions.