Earlier this year, I had the wonderful opportunity to attend Cloud Asia Expo 2019 in Singapore, a large-scale event featuring some of the most promising brands and speakers. Not only was I fortunate enough to be in the company of many like-minded people who had come from different backgrounds and cultures, it was also amazing to experience the breadth of topics that were covered under one roof over two days. My main interest was learning more about security so I decided to focus more on Dev-Security-Ops and its implementation. Here are my takeaways!
Although organisations that adopt a DevOps culture will benefit from its successful implementation, such as higher product quality and customer satisfaction, and faster time to market through complete automation and team collaboration, we cannot have a well-working DevOps workflow in place without an emphasis on security. In a DevOps culture where development and operation teams are collaborating and working together, we cannot have security silos. In order to achieve software compliance, security needs to be integrated in every phase of the workflow by enforcing multiple checkpoints.
It’s no secret that the frequency of cyber crimes has increased over the years. In June 2018, Singapore experienced its worst cyber attack when its largest health care system was hacked, resulting in almost 1.5 million patient records being compromised. These data included IC numbers, names, addresses, gender, race, and birth dates. Imagine how much worse it could have been if the attackers had managed to gain access to patient payment details.
So, what was the cause of this hack, you ask?
Simple — it was too easy. Systems were vulnerable to malware, security policies were not enforced, and the network and security teams were not proactive enough to identify and monitor the system with frequent checks or alerts.
This is just one scenario which received a great deal of exposure, proving that providing a secure environment or software to consumers is as important as delivering a functional product. With DevSecOps methodologies, we are able to implement an effective security system that can prevent these types of mishaps from happening in the future.
What exactly does Dev-Sec-Ops mean?
DevSecOps is a simple evolution of DevOps that emphasises the importance of security in the software release pipeline. To achieve a DevSecOps culture, we must take into consideration an individual’s role, their background influence and their interest in different aspects of DevSecOps practices, and by enforcing regulatory governance and software compliance measures.
What Was and What should be?
In the legacy SDLC model, enforcing security practices were done during the end phase since most of the focus was directed on application development. However, the discovery of security threats at a later stage resulted in countless reworks and time-consuming tasks. It also made software vulnerable without properly enforcing regulatory and compliance measures.
With DevOps implementation, teams work together during the different stages of the entire process such as development, CI, build, test, and release! That being said, in order to achieve complete DevSecOps, we must incorporate security in all stages by enforcing regulatory governance and software compliance measures.
How to achieve DevSecOps?
As a DevSecOps culture is similar to a DevOps culture, it can be successfully practiced and implemented by following some best practices.
Shift Left Approach to DevOps
Shift Left means to have security testing enforced at the nascent stage of development instead of waiting until the end. Doing so will help to identify potential vulnerabilities early on and help you to fix them with minimal cost. Even though it could be complex to apply this, since it might disrupt the DevOps workflow, it is very advantageous in the long run.
Adapt Microservice and Containerisation
By adapting microservice architecture, large and complex systems can be simplified and broken into simple services, which in turn helps to increase agility in the system. Thus, any business changes can be implemented faster in an effective way. These microservices can be deployed as containers that enable easy maintenance of application security.
Implement CI and Automation
By automating as many processes as possible during development, manual interventions for security and operations can be avoided, which results in faster execution and more secure releases.
Implement Scanning and Monitoring
We can scan applications for vulnerabilities during run time (dynamic scan) and secure source code repositories to remediate time to time by refactoring, which is required to update libraries and versions (static scanning).
Constant monitoring of applications should be in place and an alert mechanism that can notify you of abnormal behaviours in the server or application must be implemented.
DevSecOps Security Testing Tools
The deployed application, infrastructure, source code, and even pipelines need to be secured from the outset. This can be achieved using certain tools that can help in continuous testing so that issues can be addressed immediately. A few of these tools are:
- Dynamic Application Security Testing (DAST) tools
- Static Application Security Testing (SAST) tools
- Interactive Application Security Testing (IAST) tools
DevSecOps is not bunch of tools or security practices — it is a cultural shift like DevOps. It is a natural and necessary response for modern delivery pipelines that can overcome the bottleneck effect we faced in older security models.