How DevSecOps enables high-velocity digital transformation

Securing applications in these times of high-velocity digital transformation is an uphill battle. The challenges of developing secure applications within a DevOps pipeline continue to exist, and new issues arise when infrastructure and code are deployed automatically.

With cloud migration on the rise, organizations are moving to a new phase of security practices. Infrastructure is now treated as code. This allows DevOps teams to configure and provision a development environment (servers, storage, and network) at any time, at scale. This all happens with an automated script, thus reducing the cost and time needed to roll out application services.

While automating both continuous integration and continuous code development are relatively well practiced and well understood, automating security testing is not as much of a routine. To test or assess an application manually on a cloud platform, security professionals must have skills in web development, cloud infrastructure deployment, architecture, and, obviously, security.

When you add high-velocity delivery into the mix, the security issues involved require additional skills and processes. Key highlights from a SANS Institute survey, "Rethinking the Sec in DevSecOps: Security as Code," cover the issues, challenges, and best practices needed for fortifying applications in the cloud. Here's what you should keep in mind.

Organizations are increasingly moving from on-premises infrastructure to multiple public cloud providers, and developers are facing the challenge of keeping code consistent across diverse platforms with diverse interaction points.

Container packaging platforms are available that can help automate infrastructure provisioning, application configuration, and deployment across multiple cloud platforms.

Automation of infrastructure as code (IaC) provides for flexible deployment and reduces development and operational costs. The challenge is in building, maintaining, and reviewing the IaC templates.

IaC risks and solutions

Top risks in IaC include:

• Insecure default configuration templates, vulnerable OS images, or third-party applications that need vetting
• Secrets that are stored in clear text; these secrets are required to process IaC packages
• The environment configuration that  is changed directly in the production environment by the operations team without updating the IaC packages, causing drift in configuration

But these problems can be addressed, by doing the following:

• Scanning the IaC templates for vulnerable configuration and image templates
• Using secure password vaults for storing all your application secrets and refer to these vaults, instead of the secrets themselves, inside configuration files 
• Monitoring the cloud infrastructure and IaC frequently to find existing or potential drifts that can be addressed quickly

Use key app sec tools

These days, even a nonprofessional programmer can build a suite of applications with the open-source packages and third-party tools that are widely available. Such add-ons might bring along unknown exposures unless assessed and remediated.

A best practice is to use software composition analysis (SCA), which the SANS survey deemed a must-have app sec capability. Here are some things to keep in mind:

• Vulnerability analysis must go beyond comparing declared dependencies against the National Vulnerability Database.
• You should continuously monitor every commit for vulnerabilities exposed.
• You should conduct susceptibility analysis to check whether someone invoked vulnerability in your custom code.

Integrate security with your cloud-native development workflow

More than half of the organizations that took the SANS survey use cloud-hosted or cloud-native environments instead of on-premises systems for development. Cloud-hosted platforms offload the responsibilities of provisioning, configuring, hardening, monitoring, and managing the tool sets.

And with cloud-hosted environments, automated security testing increases the level of confidence and trust and lowers the risk at an early stage.

Integration of security testing during development or pre-production using static application security testing (SAST), SCA code scanners, and container scanners reduces security overhead, since developers can fix the vulnerabilities at an early stage. The security team can also improve the quality of tests by reducing the number of false positives.

Dynamic application security testing (DAST) is useful to test cross-function features and to help identify vulnerabilities that cannot be seen through code, but only while in execution. Integrating DAST into your CI/CD pipeline helps build in continuous security.

Best practices to improve effectiveness of security in CI/CD

Integration and shifting left sound great, but here are some tips for getting the most out of these techniques:

• Integrating security and detecting vulnerabilities is just half of the job. The most important task is to empower developers to identify the gaps early in the lifecycle and address them quickly to fix any issues detected.
• Your security team, with the support of the right tools, must continuously ensure that there are a smaller number of false positives and offer effective recommendations to implement the security fixes.
• Building security champions in the developer community has been one of the most effective strategies to create successful DevSecOps.

Based on the SANS survey, some of the largest challenges to implementing DevSecOps are due to the silos in development, security, and operations. These differences exist because each of these departments has its own goals, roles, and responsibilities. The goal of DevSecOps may not be the common objective in each of the parties' goal sheets.

To effectively implement DevsecOps, it is important to solve the problems related to people first. Once that is accomplished, deploying tools and integrating your pipeline will be smooth sailing in comparison. Here's an approach.

• Get stakeholder buy-in by agreeing on shared goals, key performance indicators, and resource use. This helps reduce the silos and build an integrated DevSecOps program strategically.
• Gain management support by making the leadership team aware of why the security investment and leadership support are important and by conveying to them the real costs of not investing properly in security. These costs could include data breaches, fines, lost customer relationships, and bad publicity. 
• Train your people about secure coding and other security concepts. Build security champions in the developer community who can internally review their apps and lift up the goal of secure coding.
• Improve communications among stakeholders with clear responsibilities and by getting buy-in from all stakeholders before the project starts.
• Integrate automated security testing into developer/operations tools and automate the remediation process.

Security is a continuous process

By now all of us understand that security is not a one-time activity. It is a continuous process that must be embedded in code. It requires leadership awareness and support for an effective program. If infrastructure is designed as code, security needs to be built in as code also.

Just as building the strongest braking system is essential when designing the fastest car, embedding security controls is essential to accelerate your application-delivery velocity.

Replay this webinar for a discussion about this topic with Jim Bird, analyst and research author at the SANS Institute, and Satyavathi Divadari, chief cybersecurity architect at Micro Focus.