Integrating security into DevOps to deliver DevSecOps is no easy task: It requires changing the team’s mindset, processes, and technology. Each company’s ultimate goal should be to keep DevOps collaborative and agile, which means making security silent in DevSecOps. To accomplish this, your team will require very close integration with security systems. This calls for maximum security integration throughout the software development lifecycle.
Ideally, every team could integrate security and compliance testing seamlessly into DevSecOps so that developers don’t have to leave their continuous integration tool. While there are many challenges in achieving this, it doesn’t mean it’s impossible. Let’s take a look at these challenges, the stages of DevSecOps integration, and recommendations for their implementation.
The Challenges of Implementing Security in DevOps
To begin with, a pre-understanding of DevOps is very necessary. Before any team considers getting started with DevSecOps, they should have well-implemented DevOps processes already in place. Many organizations are still at the learning curve when it comes to DevOps, and thus are still in the process of establishing a DevOps toolchain.
Since it involves minimum intrusion from the security team, product teams need to adopt new security tools — which should be a decision made by both security and existing DevOps using the technical team. However, the integration and automation of different or new tools are very complex. Also, native integration is offered by very few vendors, so security practitioners at a lot of companies need to test and implement these integrations themselves.
Many teams start out by measuring the number of vulnerabilities as a metric to success, but that’s actually not an effective way to judge a security platform. Additionally, business logic testing still needs a lot of manual effort and should not be included in DevSecOps. Companies should avoid trying to build perfect security during DevSecOps. In fact, implementing complete security might actually be against speed and end up violating your DevSecOps’ prime objective. Also, teams need to implement code ownership by signing and time stamping code post every stage of testing.
It may seem overwhelming to overcome all these challenges, but it is possible if you follow a few key tips.
Tips for how to better implement security in your software lifecycles
Firstly, each team should work with project leads to conclude which projects might be a good fit for DevSecOps, depending on each project’s criticality and security risks. Once you have the right projects in mind, you can begin by ensuring all your security tools or services are fully API-enabled, and then initiate your security and compliance scanning via APIs rather than native consoles. Never try to eliminate all vulnerabilities during development — instead, ensure that you’re reducing false positives, even at the risk of false negatives. Developers should also address any detected issues through their existing bug tracking process, and all issues should have actionable feedback from the tool and come in a developer-friendly format.
Product leads should also look for fresh tools and/or systems for security implementation that favors developers and can be positioned to integrate into the developer’s current platforms and CI/CD toolchains. Try to use the latest security practices; for example, the IAST for application testing. Traditional security testing platforms were not designed for speed with accuracy, but these newer platforms certainly are.
Finally, security tools shouldn’t require a security expert to run, configure or interpret the results. You should train developers on the basics of security, without forcing them to become complete security experts. For starters, you can enable them with guides like the OWASP Top 10 and how to avoid these vulnerabilities while coding. This will arm your team to create better DevSecOps processes, without requiring new expert hires or a complete rebuild of software.
6 Key Stages for Implementing DevSecOps
The implementation of DevSecOps into your software lifecycles should happen in the form of six key stages. If your team follows the above recommendations combined with the below stages, you’ll be sure to learn how to successfully implement DevSecOps.
-
Plan: This first stage is possibly the most important, as it will decide all the tools that will be used to cover the required security aspect for the project. This stage should include threat modeling, security requirement gathering, and security training, in addition to understanding what all to cover as a security aspect in the project.
-
Create: This is where you need to include IDE integration. Most of the architectural review is done here. Also, one can perform an open-source check at this stage. The main goal here is to start catching basic errors early on.
-
Verify: Testing reused codes/libraries and custom code. For reused libraries, one can perform SCA (Software Composition Analysis). For custom code, one can use testing methodologies like SAST or DAST. SAST can be done in the source code and also on the binary of the application or executable application.
-
Pre-Production: Automated DAST and IAST can be run for application testing at pre-production. Some of the known ways of testing here are input-fuzzing and chaos monkey style testing. Most of the tests here are run on completely ready applications, and testing time varies. It can be an ongoing activity as well, but a lot of tests here are based on randomness. There is no fixed time to run these tests; they may vary from just a few minutes to days.
-
Release: Apply time-stamp signatures mentioning all the tests that have been done and verify that the required security and compliance tests have been completed.
-
Monitor: Ensure that once it is in production, there is a constant check on any irregularities. Detecting those irregularities early can save you from a breach, so it is very important to implement a strong continuous monitoring program. Input from here should further strengthen your DevSecOps as, and when, new vulnerabilities are detected.
As every product team knows, it’s no easy feat to implement DevOps, let alone DevSecOps. But by following these recommendations and precisely implementing each stage, your team can finally create secure DevOps and a clear-cut process to guide you going forward.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.