Infosec expert viewpoint: DevOps security
A Ponemon Institute survey of nearly 1,250 global public sector IT decision makers and managers revealed that public sector organizations undergoing digital transformation are losing confidence in IT operations’ ability to manage the influx of new technologies and evolving citizen and mission expectations. Despite the rising complexity of IT, respondents see promise in DevOps to help achieve future mission success.
According to Enterprise Strategy Group research, 45 percent of respondents whose organization has adopted formal DevOps principles and best practices indicate DevOps makes the software development team’s job easier, and only eight percent feel adding application security into the development process would slow down a DevOps environment. This is contrary to the common perception that a focus on security will slow down software development.
Here’s what infosec experts think about taking advantage of DevOps security to make enterprises more secure.
Elizabeth Lawler, Vice President, DevOps Security at CyberArk
DevOps security is becoming increasingly top of mind for today’s organizations – and for good reason. Forward-thinking organizations are embracing DevOps to accelerate application delivery, automate manual IT tasks and reduce costs, but many are leaving themselves exposed to unnecessary security risk.
That’s because they’re expanding their attack surfaces in adopting cloud-based environments and DevOps pipelines without really knowing where privileged accounts exist. Surprisingly, CyberArk’s 2018 Global Advanced Threat Landscape survey found that 75 percent of security professionals have no privileged account security strategy for DevOps, and 37 percent say compromised DevOps tools and environments represent one of their organization’s greatest security vulnerabilities.
Enterprises must let go of the notion that DevOps and security don’t mix – they do, and they should be tightly integrated from the get-go. CISOs need to drive this shift security left approach and ensure that automated security rules are built into infrastructure, especially at the onset of the development cycle. There should be one dedicated technology tool and a single security stack that can seamlessly connect with DevOps tools and other enterprise security solutions. From there, they can implement a scalable security posture that’s constantly improved as new iterations of tools are developed, tested and released. This singular approach will help unite the fragmented processes and technologies that govern cybersecurity, privacy and regulatory compliance.
Ultimately, it’s up to CISOs to ensure that while only a small number of individuals are implementing security, all employees – regardless of role – are covered by good security policies. That’s key in empowering high-velocity and connected systems, without compromising on security.
Matthew Rose, Global Director Application Security Strategy at Checkmarx
In talking to companies all over the U.S, it is almost unanimous that DevOps is here to stay. DevOps modernizes the software development life cycle and deployment to account for the way businesses are run. I would say 90-95% of enterprise companies have some sort of DevOps initiative and are investing significant time and resources into the DevOps initiative. Organizations that have truly implemented DevOps are already seeing significant results in terms of application quality and speed to market.
Along with the benefits of creating effective and efficient software applications, DevOps can ensure organizations are secure by simply following the integration and automation process that already exists within development.
If security is bolted on as an addition or implemented outside of the DevOps process – instead of automated like CI/CD and baked into the practice – it will not be successful. This removes the manual aspect of security testing which produces push back from developers and DevOps players. However, DevOps players are not security experts and their primary goal is releasing quality software faster.
To excel in secure development, CISOs need to include security in ALL discussions associated with DevOps, beginning in the planning stages. If security isn’t part of process from the beginning, the whole DevOps program will be flawed, thus limiting the effectiveness of said program.
Lori MacVittie, Principal Technical Evangelist at F5 Networks
Buzzwords, like legends, all start with a basis in reality. DevOps security – or SecDevOps or SecOps – is no different. It’s a buzzword wrapped around the simple but powerful truth that encouraging security professionals to shift left and engage earlier in the app development lifecycle can result in better security. Anyone can take advantage of it as it’s as much a mindset as it is a methodology.
Traditional app release cycles perform deployment using legacy waterfall techniques that leave security at the end of the pipeline. Security teams are often many steps removed from the application, which leads to a tendency to rely on isolated and network-focused tools and policies to protect apps. Encouraging security teams to engage earlier in the lifecycle can not only speed up the delivery timeline, but afford better app and system security through deeper understanding of the application and its immediate environment.
Security professionals who become knowledgeable on apps and their platforms and protocols will ultimately design better policies and select the best tools to protect those applications and their data. CISOs who want to excel at DevOps security should encourage the fusion of security pros with Dev and Ops throughout the application development lifecycle. CISOs can also encourage the reverse – the training and development of security professions from within Dev and Ops.
Cross-functional training efforts can develop a healthy bench of security and DevOps expertise that will benefit by infusing all three – dev, ops, and security – into the application development and deployment pipeline.
David Bryan, Global Leader of Technology, IBM X-Force Red
DevOps Security is not just about putting up roadblocks and firewalls. Security must be integrated into the process. Developers must also keep in mind that just because it’s a development environment, doesn’t mean you can forget to secure it. Additionally, secret keys and passwords must be protected to prevent an attacker from using them to compromise your production systems.
Recently I’ve found SSH private keys without passwords on file shares, and checked into source code repositories. SSH private keys should only ever be stored on a user’s computer. These private keys must have a passphrase. Exceptions may only be made if the remote host severely limits access to specific tasks. SSH agent forwarding should then be used to connect to remote systems.
Running security penetration tests of both production and development is imperative to identify and prevent unauthorized access. Security testing must be part of the process, and not the last step before shipping code. DevOps security is about having strong code standards, and having best practices that will enable good coding practices. Developers must also ensure they follow and practice good hygiene and clean keys and passwords when done using them.