March 1, 2021
DevSecOps is the term used to describe the integration of strong security practices into the DevOps pipeline. Adopting these methods has become a major priority in application development as enterprises increasingly deploy cloud native workloads. But the characteristics that make cloud native applications appealing -- such as immediate scalability and dynamic architectures -- require a paradigm shift in approaches to security.
DevSecOps applies these new security approaches, where security is integrated early in the continuous integration and delivery pipeline (CI/CD), into existing DevOps processes, and is treated as a first priority. These approaches empower fast-moving DevOps teams with early and frequent feedback into security failures along with contextual data, which helps prioritize security fixes before the code is deployed into the runtime environment.
But what is it that makes DevSecOps a good fit for cloud native development? And what are the practices that comprise it?
DevSecOps practices enable enterprises to achieve a variety of strategic outcomes. The benefits that pertain to security in particular include:
Identifying security and compliance violations earlier in app development
Detecting vulnerabilities and malware proactively
Minimizing attack surfaces and exploitable real estate
Integrating security into the CI/CD pipeline
Providing greater security assurance
Tracking metrics that can improve development workflows
The state of the art
There is no single framework for DevSecOps. Both the concept and the practice continually evolve to keep pace with the innovations occurring in cloud native app development. This is particularly significant because, as new technologies like containers and serverless become mainstream, organizations need to ensure they assess and adopt new security practices and tools to secure these deployment paradigms. Adopting a DevSecOps posture enables security teams to be proactive against a constantly evolving threat surface.
However, two concepts that help form the core of the DevSecOps process are the development of the modern CI/CD pipeline, and the push to "shift left" by integrating security early into the development pipeline.
This modern cloud native development process comprises four distinct phases: Develop, Distribute, Deploy, and Run. The next few sections show how security can be incorporated into these phases in order to achieve the outcomes outlined earlier.
The Develop phase has emerged as one of the most critical in this modern process. This is due to the fact that cloud native deployments are increasingly defined in all aspects by code, using artifacts such as infrastructure-as-Code (IaC) and Kubernetes or application dependency manifests. However, these new ‘as code’ technologies have exposed a number of threat and attack vectors. A Unit 42 Cloud Threat Report from 2020 found that:
42% of CloudFormation and Terraform IaC templates are insecure
51% of Docker containers use insecure defaults
24% of hosts contain known vulnerabilities
43% of cloud databases are unencrypted
As these technologies grow in popularity, it is imperative to inject security in the develop phase to identify security violations and address them early. The security activities to consider in this phase primarily include:
IaC Scanning to detect security misconfigurations
SAST to identify security issues in custom code
SCA to gain visibility into licensing models for 3rd party libraries
Kubernetes Manifest scanning to identify security violations in container configurations
The Distribute phase is where container images and other artifacts are built in preparation for the Deploy phase. Major threat vectors here include vulnerabilities in base container images, library dependencies from open source and third-party packages, and potential malware.
Additionally, container images need to be protected from tampering and non-repudiation. A report studying security vulnerabilities found that 356,218 images contained 180 vulnerabilities on average.
The security operations that need to be considered in this phase include:
Vulnerability management (Scanning container registry and images; Detecting malware; Scanning source code library dependencies checked into Git repositories)
Security testing, IAST and DAST
Image signing for authentication and integrity
Image encryption to ensure confidentiality
The Deploy phase is where DevSecOps teams run final "pre-flight checks" and apply guardrails for the application runtime environment. The security practices in this phase help to validate configurations pertaining to container images and manifests, runtime security and compliance policies, and standards-based best practices such as NIST 800-190, NIST-CSF.
In this phase, your security teams need to ensure that:
Containers are not deployed with excess privileges
Only sanctioned and signed container images are deployed
Containers have limits set on individual resource consumption
Network policies are in place to ensure only sanctioned access
While DevSecOps practices primarily apply to those first three phases, there are a few implications for the runtime environment as well. For example, security teams need to ensure that they have visibility into security events and anomalies emanating from a containers’ process and networking context.
One of the most important security considerations is to ensure that applications are appropriately microsegmented based on identity. The identity of an application is composed of labels, tags, and other descriptive properties that are defined by DevOps teams in either the Distribute or Deploy phases.
Software supply chain security
One final process that deserves to be highlighted is securing the "software supply chain". Cloud native apps are composed of software from a variety of sources:
Open source software from packages, libraries and modules
Third party software and dependencies
Due to this heavy reliance on software obtained from external sources, it is extremely important to have visibility into the software supply chain. Failure to sufficiently validate the integrity of materials and sources in the supply chain can render applications susceptible to attacks and exploits—effectively crippling them. Therefore, enterprises need to put in place the necessary end-to-end checks such as:
Validating the source of third-party software
Tracking known vulnerabilities and threats present in third party packages
Securing and hardening build and distribution infrastructure
DevSecOps must be an integral part of any enterprise cloud strategy. The constituent processes of DevSecOps ensure that security is integrated early in the application development pipeline, attack surfaces are reduced, and security can scale to meet the dynamic needs of cloud native applications.
DevSecOps practices combined with cloud native security tools can ensure that security teams and DevOps teams are able to achieve the common goals of securely deploying and running production applications.
Vinay Venkataraghavan has extensive experience in architecting and building cloud native and containerized applications as well as security products. He is an active member of the CNCF Sig-Security WG and is passionate about sharing his security knowledge with the community. Vinay has spoken at many conferences including AWS re:Invent, Google Cloud Next, and Microsoft Ignite, among others, and has helped enterprises secure their digital and cloud footprint. He believes that security does not have to be difficult to adopt and that automation along with DevSecOps is a winning combination. He has built numerous solutions and integrations that have made security, cloud native.
About the Author(s)
You May Also Like