The Impact of DevSecOps in Securing Cloud Native Apps

Adding security into DevOps, DevSecOps has become a trend in cloud native app development. We break down the buzzwords to show what it actually means.

InformationWeek Staff, Contributor

March 1, 2021

6 Min Read

DevSecOps is the term used to describe the integration of strong security practices into the DevOps pipeline. Adopting these methods has become a major priority in application development as enterprises increasingly deploy cloud native workloads. But the characteristics that make cloud native applications appealing -- such as immediate scalability and dynamic architectures -- require a paradigm shift in approaches to security.

DevSecOps applies these new security approaches, where security is integrated early in the continuous integration and delivery pipeline (CI/CD), into existing DevOps processes, and is treated as a first priority. These approaches empower fast-moving DevOps teams with early and frequent feedback into security failures along with contextual data, which helps prioritize security fixes before the code is deployed into the runtime environment.

But what is it that makes DevSecOps a good fit for cloud native development? And what are the practices that comprise it?

Why DevSecOps?

DevSecOps practices enable enterprises to achieve a variety of strategic outcomes. The benefits that pertain to security in particular include: 

  • Identifying security and compliance violations earlier in app development

  • Detecting vulnerabilities and malware proactively

  • Minimizing attack surfaces and exploitable real estate

  • Integrating security into the CI/CD pipeline

  • Providing greater security assurance

  • Tracking metrics that can improve development workflows

The state of the art

There is no single framework for DevSecOps. Both the concept and the practice continually evolve to keep pace with the innovations occurring in cloud native app development. This is particularly significant because, as new technologies like containers and serverless become mainstream, organizations need to ensure they assess and adopt new security practices and tools to secure these deployment paradigms. Adopting a DevSecOps posture enables security teams to be proactive against a constantly evolving threat surface.

However, two concepts that help form the core of the DevSecOps process are the development of the modern CI/CD pipeline, and the push to "shift left" by integrating security early into the development pipeline.

This modern cloud native development process comprises four distinct phases: Develop, Distribute, Deploy, and Run. The next few sections show how security can be incorporated into these phases in order to achieve the outcomes outlined earlier.

Develop

The Develop phase has emerged as one of the most critical in this modern process. This is due to the fact that cloud native deployments are increasingly defined in all aspects by code, using artifacts such as infrastructure-as-Code (IaC) and Kubernetes or application dependency manifests. However, these new ‘as code’ technologies have exposed a number of threat and attack vectors. A Unit 42 Cloud Threat Report from 2020 found that: 

  • 42% of CloudFormation and Terraform IaC templates are insecure

  • 51% of Docker containers use insecure defaults

  • 24% of hosts contain known vulnerabilities

  • 43% of cloud databases are unencrypted 

As these technologies grow in popularity, it is imperative to inject security in the develop phase to identify security violations and address them early. The security activities to consider in this phase primarily include: 

  • IaC Scanning to detect security misconfigurations

  • SAST to identify security issues in custom code 

  • SCA to gain visibility into licensing models for 3rd party libraries

  • Kubernetes Manifest scanning to identify security violations in container configurations  

Distribute

The Distribute phase is where container images and other artifacts are built in preparation for the Deploy phase. Major threat vectors here include vulnerabilities in base container images, library dependencies from open source and third-party packages, and potential malware.

Additionally, container images need to be protected from tampering and non-repudiation. A report studying security vulnerabilities found that 356,218 images contained 180 vulnerabilities on average.

The security operations that need to be considered in this phase include: 

  • Vulnerability management (Scanning container registry and images; Detecting malware; Scanning source code library dependencies checked into Git repositories)

  • Security testing, IAST and DAST

  • Image signing for authentication and integrity 

  • Image encryption to ensure confidentiality 

Deploy

The Deploy phase is where DevSecOps teams run final "pre-flight checks" and apply guardrails for the application runtime environment. The security practices in this phase help to validate configurations pertaining to container images and manifests, runtime security and compliance policies, and standards-based best practices such as NIST 800-190, NIST-CSF.

In this phase, your security teams need to ensure that: 

  • Containers are not deployed with excess privileges

  • Only sanctioned and signed container images are deployed

  • Containers have limits set on individual resource consumption

  • Network policies are in place to ensure only sanctioned access

Run

While DevSecOps practices primarily apply to those first three phases, there are a few implications for the runtime environment as well. For example, security teams need to ensure that they have visibility into security events and anomalies emanating from a containers’ process and networking context.

One of the most important security considerations is to ensure that applications are appropriately microsegmented based on identity. The identity of an application is composed of labels, tags, and other descriptive properties that are defined by DevOps teams in either the Distribute or Deploy phases.

Software supply chain security

One final process that deserves to be highlighted is securing the "software supply chain". Cloud native apps are composed of software from a variety of sources: 

  • Custom code

  • Open source software from packages, libraries and modules

  • Third party software and dependencies

Due to this heavy reliance on software obtained from external sources, it is extremely important to have visibility into the software supply chain. Failure to sufficiently validate the integrity of materials and sources in the supply chain can render applications susceptible to attacks and exploits—effectively crippling them. Therefore, enterprises need to put in place the necessary end-to-end checks such as: 

  • Validating the source of third-party software

  • Tracking known vulnerabilities and threats present in third party packages

  • Securing and hardening build and distribution infrastructure

Conclusion

DevSecOps must be an integral part of any enterprise cloud strategy. The constituent processes of DevSecOps ensure that security is integrated early in the application development pipeline, attack surfaces are reduced, and security can scale to meet the dynamic needs of cloud native applications.

DevSecOps practices combined with cloud native security tools can ensure that security teams and DevOps teams are able to achieve the common goals of securely deploying and running production applications.

Vinay Venkataraghavan has extensive experience in architecting and building cloud native and containerized applications as well as security products. He is an active member of the CNCF Sig-Security WG and is passionate about sharing his security knowledge with the community. Vinay has spoken at many conferences including AWS re:Invent, Google Cloud Next, and Microsoft Ignite, among others, and has helped enterprises secure their digital and cloud footprint. He believes that security does not have to be difficult to adopt and that automation along with DevSecOps is a winning combination. He has built numerous solutions and integrations that have made security, cloud native.

 

About the Author(s)

InformationWeek Staff

InformationWeek Staff

Contributor

See more from InformationWeek Staff
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

NHL's Calgary Flames at New Jersey Devils on February 8, 2024 in Newark, NJ
IT Infrastructure
NHL, Presidio, and a Transformation Power Move with Hybrid CloudNHL, Presidio, and a Transformation Power Move with Hybrid Cloud
byJoao-Pierre S. Ruth
Apr 5, 2024
6 Min Read
Online Privacy Security Threat Abstract Background Art
Cyber Resilience
Cyber Risks When Job Hunters Become the HuntedCyber Risks When Job Hunters Become the Hunted
byCarrie Pallardy
Apr 9, 2024
9 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Hand charging an electric car, leaves and butterflies emerge from the cars exhaust, idea of sustainable transportation. Green energy, eco friendly
Sustainability
Sustainable Transportation Takes OffSustainable Transportation Takes Off
bySamuel Greengard
Mar 26, 2024
5 Min Read
Robotic hand takes a slice out of a coin, representing money
Machine Learning & AI
Special Report: What's Next for the GenAI Market in 2024?Special Report: What's Next for the GenAI Market in 2024
bySara Peters
Mar 12, 2024
3 Min Read
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now