The Rise of DevSecOps
By Ashish Chhatani - Mar 21, 2019
Information Security has come a long way but still there’s a lot that needs to be done. Security has always been seen as a compliance or a gate check to pass rather than a practise. There was a rise in DevOps with the emergence of cloud. DevOps is nothing but a bridge between the dev and Ops team. The set of automated tools made the lives more faster, easier and efficient. But again where’s the security? Security was not in the picture here.
Approach as of now and need of DevSecOps
As the new vulnerabilities and breaches came into the light, there was an environment created where security became the talk of the town. Security is introduced at the later stages of the development life cycle and that too for the sake of doing it. The developers are always in a rush to maintain the deadlines. They don’t want to take the risk of any delay but the fact is by doing so they are putting the entire application on edge as they release the application with vulnerabilities on production environment. Even if the severity of the vulnerability is medium, there’s always a risk associated with it. The hackers are smart enough to identify a little loophole to sneak into the application and leverage the best of it.
Currently security is placed at the end of the SDLC where the app is ready to deploy and security tests are conducted. As I said earlier, The app is ready to deploy and the deadline comes closer, whatever findings are there in the pen-test or any other activity are not given enough attention. Even if the vulnerability severity is on higher side, risk exceptions are being raised. That’s not the ideal way to deal with it. Developers always take a shortest path by applying the stable solutions rather than secure solutions and at some extent you can’t blame entirely them. There’s a need where the organisations should focus on Security centric environment. Developers must get time to address the issues which gets identified in the Security operations- be it pen-test, SAST or any other acts.
There’s a significant change noticed in how the apps were developed and how they are developed currently. Agile methodology has replaced the waterfall and that seems to be great for developers. By adopting so, the delivery is aligned with the business needs and in a more efficient and rapid way.
But again, in order to achieve rapid delivery and quick updates, serious questions comes up. Is security in place for every single update or release? Are the checks done? Is app secure enough for GA? Consider a scenario where an application has the update cycle of 14 days. Is that timeline enough to get the QA and AppSec tests done? Not only tests but also the fixes of it as well. To address these, it was time for shift left and introduce DevSecOps.
What is DevSecOps?
So the quick question comes up. What’s this DevSecOps? As the name indicates, Security comes in between the Dev and Operations. The security is aligned with the entire process to reduce the risk in the initial phase of the Dev cycle. DevSecOps involves creating a 'Security as Code' culture with ongoing, flexible collaboration between release engineers and security teams.
Security starts with the word go in the development cycle and the engineers can adopt the changes which are required to do in addition to fix the vulnerabilities.
While DevOps has enabled the teams to automate and monitor the activities at all steps of SDLC, DevSecOps stands to make that more strong by introducing various security checks. This will allow dev teams ample amount of time to address the issue and eliminate or reduce the risk of having a vulnerable application in the production environment. DevSecOps should be implemented in such a way that it should not overburden the teams and the integration needs to be seamless and effective. Security is not only AppSec or InfoSec team’s responsibility. It's responsibility of all.
Perks and Limitations
- More secure applications in prod environments
- More time for dev guys to rectify the issues
- Identification of vulnerabilities and other low hanging fruits in the initial stage
- Effective co-ordination between Dev-Ops and SEC teams
- Rapid delivery with increased security and quality output
- Integration of security scanners for containers
- Automating security testing in the process of CI
- Automation of security updates, such as patches for known vulnerabilities on the go
- Automating system and service configuration management capabilities
- Securing API Gateways in real time
One thing to keep in mind here is that DevSecOps doesn’t address all the security issues but it’s definitely an approach to have security in the picture and identify the weakness and loopholes in every phase of SDLC. Also, tools do have its own limitations. You can not expect that the vulnerabilities identified by an automated scanner or tool will be accurate. There will be false positives for sure but at least there will be some value by introducing them in the early cycle.
DevSecOps implementation should not disrupt the operations and it should be well integrated with the latest and innovative techs like container and micro services. The automation is the key for DevSecOps. Well, there are already tons of tools available for DevOps in the market- Jenkins and git being the popular and leading ones. They should be in the core foundation of your org’s DevOps pipeline. While from the security perspective, there are plenty of tools available to choose. You have to select the tool which is best suited to your needs and also it should be effective in terms of identifying the vulnerabilities and get the job done. The tool which has false positive ratio on the lower side will be ideal one.
Checkmarx, Veracode and Fortify
OWASP ZAP, WhiteSource, Continuum Security, Qualys WAS
Cloud Passage and Aqua
Immunio, Contrast Security
Qualys, Defect Dojo, Vulcan