DevSecOps Framework – The Big Picture
Secure DevOps, DevSecOps, App Risk, App Sec, and shifting left have become increasingly popular terms in cybersecurity.
Organizations face misconfigurations and other security issues and challenges and struggle with implementing a secure DevSecOps approach and frameworks. One of them is the rapid increase in volume and speed of delivery of applications, and the other like the complexity between the development process and security, or the fact that cyberattacks on applications have increased.
Cybersecurity teams are stretched to their limits with the lack of cybersecurity professionals and security skillsets. So remember, DevSecOps isn’t a silver bullet.
This post will take you on the first steps and other initial information in the #DevSecOps areas.
DevSecOps in a Nutshell
DevSecOps integrates security into continuous integration, continuous delivery, and continuous deployment pipeline. By incorporating DevOps values into software security, security verification becomes an active, integrated part of the development process.
Like DevOps, DevSecOps is a methodology that combines project management workflows with automated IT tools. DevSecOps integrates operational security audits and testing into agile development and DevOps workflows into the product rather than applied to a finished product.
To implement DevSecOps, teams should:
- Introduce security throughout the software development lifecycle to minimize vulnerabilities in software code.
- Ensure the entire DevOps team, including developers and operations teams, share responsibility for following security best practices.
- Enable automated security checks at each software delivery stage by integrating security controls, tools, and processes into the DevOps workflow.
With DevSecOps, security should be applied to each phase of the typical DevOps pipeline: plan, code, build, test, release, and deploy.
Continuous is a differentiated characteristic of a DevOps pipeline. This includes continuous integration, delivery/deployment (CI/CD), continuous feedback, and continuous operations. Instead of one-off tests or scheduled deployments, each function occurs ongoing.
Plan – The plan phase is the minor automated phase of DevSecOps, involving collaboration, discussion, review, and strategy of security analysis. Teams should perform a security analysis and create a plan that outlines where, how, and when security testing will be done.
Code – DevSecOps tools help developers write more secure code for the code phase. Important code-phase security practices include static code analysis, code reviews, and pre-commit hooks. When security tools plug directly into developers’ existing Git workflow, every commit and merge automatically triggers a security test or review. These tools support different programming languages and integrated development environments.
Build – The build phase begins once developers commit code to the source repository. DevSecOps build tools focus on automated security analysis against the build output artifact. Essential security practices include software component analysis, static application software testing (SAST), and unit tests. Tools can be plugged into an existing CI/CD pipeline to automate these tests.
Test – The test phase is triggered after a build artifact is created and successfully deployed to staging or testing environments. This phase should fail fast so that the more expensive test tasks are left for the end. A comprehensive test suite takes a considerable amount of time to execute.
The test phase uses dynamic application security testing (DAST) tools to detect live application flows like user authentication, authorization, SQL injection, and API-related endpoints. The security-focused DAST analyzes an application against a list of known high-severity issues, such as those listed in the OWASP Top 10.
Release – By the release phase of the DevSecOps cycle, the application code and executable should already be thoroughly tested. The phase focuses on securing the runtime environment infrastructure by examining environment configuration values such as user access control, network firewall access, and secret data management.
The principle of least privilege (PoLP) is a key concern of the release phase. PoLP means that any user, program, or process has minimum access to perform its function. This involves auditing API keys and access tokens so that the owners have limited access. Without this audit, an attacker may find a key that has access to unintended areas of the system.
Deploy – If the previous phases pass successfully, it’s time to deploy the build artifact to production. The security areas of concern to address during the deployment phase are those that only happen against the live production system. For example, any differences in configuration between the production environment and the previous staging and development environments should be thoroughly reviewed. Production TLS and DRM certificates should be validated and checked for upcoming renewal.
Continuous security – Once an application is deployed and stabilized in a live production environment, additional security measures are required. Companies need to monitor and observe the live application for any attacks or leaks with automated security checks and security monitoring loops.
Runtime application self-protection (RASP) automatically identifies and blocks inbound security threats in real-time. RASP acts as a reverse proxy that observes incoming attacks and enables the application to reconfigure automatically without human intervention in response to clear conditions.
So, what do you need to close the loop from detection to remediation? You need to start with the little things.
What’s your DevSecOps framework look like? From Code to Incident Response? is that so?
Securing DevOps is a complex undertaking. The DevOps frameworks and tools grow and change very fast. API, Containers, and Kubernetes add more complexity and open up new attack vectors and security risks.
We all know that development and operations teams must make security an integral part of the entire application life cycle to safeguard critical IT infrastructure, protect confidential data, and keep pace with change.
– Platform Security
– Vulnerability and Config management
– Identity and Access management
– Network Controls
– Data Controls
– Runtime Analysis
– Monitoring and Remediation
– Incident Response
You should take this framework diagram and ask yourself which one I already cover and which one will be the next.
Securing DevOps is a complex undertaking; DevOps tools grow and change quickly. Containers and Kubernetes add more complexity and open up new attack vectors and security risks. Development and operations teams must make security an integral part of the entire application life cycle to safeguard critical IT infrastructure, protect confidential data, and keep pace with change.
DevSecOps framework can provide a solid foundation and blueprint for delivering secure #DevOps solutions that are less complex to deploy and easy to understand and know the big picture. This framework helps you reduce risk by simplifying DevOps security and accelerating DevSecOps adoption. The following DevSecOps framework addresses essential security requirements throughout the DevOps lifecycle as part of a comprehensive defense-in-depth security strategy.
Securing your Kubernetes platform is fundamental. Downloading and installing Kubernetes is easy. But getting it ready to support business-critical applications in a secure, reliable, and scalable manner can be challenging. Deployment and management of Kubernetes continue to be the top two challenges for enterprises. Kubernetes container platform eliminates complexity, removes adoption barriers, and includes a variety of built-in platform security features.
The DevSecOps framework provides foundational features for securing the underlying container host Enterprise Linux and CoreOS as well the container platform. Most security features are enabled by default to help simplify deployment and minimize risk. These features help secure containers at their boundaries and protect the host from container escapes.
Platform Security security methods include:
- Linux namespaces isolate applications across teams, groups, and departments.
- Kubernetes and container hardening apply standards like NIST and CIS Benchmarks.
- Container platform security provides a lightweight container runtime and a secure container image registry.
- Host security provides mandatory access controls with SELinux, kernel facilities for controlling system calls with secure computing mode, and kernel features for isolating CPU, memory, and other resources.
Range of Security Methods – DevSecOps framework identifies security categories, methods, and technologies that address the entire application life cycle. The framework places built-in capabilities, DevOps toolchains, and security solutions at crucial integration points in the pipeline. You can implement some or all the methods/technologies within a category, depending on the scope of your DevOps environment and your specific requirements.
Vulnerability and Configuration Management
Vulnerability and configuration management functions help improve, identify, classify, and resolve application, configuration, and container image security defects. These methods help incorporate security into the DevOps life cycle early, saving time and money.
Vulnerability and configuration management methods include:
- Static application security testing (#SAST) analyzes code under development for vulnerabilities and quality issues.
- Software composition analysis (#SCA), which examines dependent packages included with applications, looks for known vulnerabilities and licensing issues.
- Interactive application security testing (#IAST) and Dynamic application security testing (#DAST) tools analyze running applications to find execution vulnerabilities.
- Image risk is any risk associated with a container image. This includes vulnerable dependencies, embedded secrets, wrong configurations, malware, or images that are not trusted.
- Configuration management with analysis and control of application and infrastructure configurations in DevOps. Traditionally this was not used as a way to improve security. But properly managing configurations in a #GitOps process can strengthen security by improving change controls, identifying configuration defects that can reduce the attack surface, and signing and tracking authorship for better accountability and improvement opportunities.
Identity and Access Management
Identity and access management (IAM) methods control access to on-premise and cloud assets, applications, and data based on user or application identity and administratively defined policies. IAM methods are found in every stage of the DevOps life cycle and can help protect against unauthorized system access and lateral movement.
IAM methods include:
- Authentication, verifying the identity of users, services, and applications.
- Authorization, granting the authenticated users access to specific resources or functions. In the Kubernetes context, this is commonly referred to as role-based access controls (#RBAC), which grant collections of users access to resources or functions based on their job responsibilities, simplify administration and onboarding, and reduce privilege creep.
- Provenance is the ability to verify the identity or authenticity of a code or an image, typically through some digital signature or attestation record.
- Identity providers, secrets vaults, and hardware security modules (HSM), allowing DevOps teams to manage and safeguard security credentials, keys, certificates, and secrets, while at rest and in transit.
Compliance methods and technologies help you adhere to industry and government regulations and corporate policies. These capabilities support automated compliance validation and reporting throughout the DevOps pipeline, helping you simplify audits and avoid costly regulatory fines and lawsuits.
Compliance methods include:
- Compliance audits are a function that typically scans a config, container, cluster, or system to report if the object in question complies or not.
- Compliance controls incorporate automation with technical management. This can help automate and enable proper actions or prevent actions that would result in noncompliance.
These methods help improve compliance with a variety of data privacy and information security mandates:
- EU General Data Protection Regulation (GDPR)
- ISO 27001 information security management standard
- Payment Card Industry Data Security Standard (PCI-DSS)
Network controls and segmentation methods allow you to control, segregate, and visualize Kubernetes traffic. These methods help you isolate tenants, and secure communication flows between containerized applications and microservices.
Network controls and segmentation methods include:
- API management, controlling access to APIs, and securing API traffic.
- A hardened Service Mesh provides network segmentation, visualization, authentication, and authorization for containerized applications and microservices.
- Packet analysis, capturing live pod network traffic to debug issues in the communication between services typically.
- Kubernetes network security policies control traffic flows at the IP address or port level and can be enhanced with cluster ingress and egress traffic controls, logging, and network visualization.
- Software-defined networking (SDN) provides a programmable, adaptable network fabric that is provisioned in real-time to support dynamic networking security requirements and is typically implemented with a container networking interface (CNI).
Data control methods and technologies help protect data integrity and prevent unauthorized data disclosure. These tools protect data at rest and data in motion, allowing you to safeguard intellectual property and confidential customer information.
Data controls include:
- Data protection, discovering and classifying data—monitoring and auditing activity—to help protect sensitive data and improve compliance.
- Data encryption provides data cryptography, tokenization, data masking, and key management capabilities to help prevent unauthorized disclosure of data in databases, files, and containers.
Production runtime methods help maintain cluster hygiene by identifying and mitigating suspicious and malicious activity in real-time.
Runtime analysis and protection methods include:
- Threat defense and runtime application self-protection (#RASP) detect and block cyberattacks in real-time.
- The admission controller functions as a Kubernetes gatekeeper that governs and enforces what is allowed to run on the cluster.
- Runtime application behavioral analysis examines system activity and intelligently detects suspicious or malicious actions in real-time.
Audit and monitoring methods provide information about security incidents in your production environment. These methods describe when the event occurred and provide probable cause and impact data, helping you improve visibility and accelerate incident response.
Audit and monitoring methods include:
- Monitoring Kubernetes and pod processes for malicious activity and providing visibility into the platform logs.
- SIEM centralizes event reporting by consolidating logs and network flow data from distributed devices, endpoints, and applications.
- Forensics, deep data collection which provides insights into security breaches, provides evidence to support compliance audits and accelerates recovery efforts.
Remediation methods automatically take corrective actions when security incidents occur in production. They help you improve uptime and avoid data loss.
Remediation methods include:
- Automated resolution to issues related to Kubernetes configuration errors and policy infractions.
- Security orchestration, automation, and response (#SOAR) platforms automate actions in response to security incidents and integrate with other security tools.
The DevSecOps framework lays a reliable and scalable foundation to help you expand DevOps security and reduce risk.
Automation can play a significant role in making DevSecOps a strategic initiative for companies. Automation is Critical for Making DevSecOps and is most effective for development and security teams. It needs to be automated.
Security automation can be helpful when it is part of the testing practices and typically involves the following main stages as much it possible.
- End-to-end testing validates that the application meets the user’s expectations.
- Unit testing validates individual code units, such as a function, so it works as expected.
- Integration testing ensures that several pieces of code can work together without unintended consequences.
- Exploratory testing takes an unstructured approach to review numerous areas of an application from the user’s perspective, to uncover functional or visual issues.
Defining DevSecOps – DevSecOps is the practice of integrating security functions into a cloud platform-based software development and operations lifecycle. DevSecOps involves creating a ‘Security as Code’ culture with a complete focus on automation to allow for scale and efficiency. Automation is critical! As more cloud platforms are being adopted by Government and Commercial entities, Incident Response procedures and techniques must keep pace with these changes.
Incident Response – There is an increasing focus on incidence response and reporting, such as DFARS 7012. HIPAA and many other regulatory standards require the ability to respond to incidents and report them on time rapidly. It is also essential to capture all incident data to investigate appropriately.
A few key steps to incident handling are based on the NIST SP 800-61 R2 special publication on incident management. Key steps include rapid detection and analysis as well as post-incident activity. The basic premise is to have an effective continuous monitoring and alerting system.
The role of the SOC
DevSecOps can be assisted via a SOC of some form. Here are some methods by which a SOC can modernize its processes.
- SOC Advisory should be able to quickly contact the SOC and liaise with the top security experts of the organization.
- Threat Hunting with the DevOps team can communicate directly with dev or ops teams to address security gaps at their core, rather than isolating a threat and reporting it to management.
- Developing a SOC & DevOps member can assist with the incident response. They have an in-depth understanding of IT systems and can gain knowledge of vulnerabilities and threats from security staff.
- Creating Security Centers can work with specific dev and operation groups to put in place security best practices. They can convey these favorable results to the entire organization to encourage DevSecOps practices.
Do you’ve got any questions and gaps about secure DevOps? You are invited to join the DevSecOps Community channel.