Josh Kirkwood, DevOps Security Lead, CyberArk, discusses how to put security at the heart of your DevOps development cycles.
The engineering project triangle dictates that organisations will have to sacrifice one of the following to satisfy the other two: speed, quality and value. This classic model has sat at the heart of project management issues for years, underscoring cost projections, deadlines and most importantly, quality assurance requirements.
As competition has grown increasingly fierce in the technology industry in the last 15 years, the board has prioritised the metric of speed to satisfy ever tighter deadlines and be the first to market. With this in mind, its makes sense that DevOps practises have become so prevalent in the past decade.
Organisations’ willingness to adopt DevOps tools and methodologies – in the hopes of seeing tremendous business benefits – have led to security practices being pushed aside, however. The numbers don’t lie: according to Deloitte’s latest study on the state of DevOps, 71% of businesses feel their teams lack the adequate working knowledge to incorporate security into their systems – an approach otherwise known as DevSecOps.
This knowledge gap underlines the potential data security issues that businesses risk creating for themselves. This is especially true when considering that DevOps tends to outpace traditional security controls. The truth is that, while developers want security, when security threatens to slow down getting new applications to customers (whether internal or external), security suffers.
It’s an issue CISOs across the globe face – how do you prioritise security without impacting developer velocity? The below five tips sourced from an expert panel of CISOs show how some of the world’s most accomplished technologists are working to combat bad habits and securing the DevOps cycle. Here are some of their key suggestions:
Put the security and DevOps teams in tandem
Many DevOps practitioners do take security seriously; in fact, in the Sonatype DevSecOps Community Survey 2018 91% agree that ‘security is part of everyone’s job’.
So, for security, the challenge can be harnessing the developers’ beliefs and energy. For example, security teams can engage more effectively by getting up to speed on DevOps tools and techniques. They can also help developers to do the right thing by offering reusable code modules and self-service approaches that make it easier for developers to adopt good security practices.
Be sure to secure DevOps tools and infrastructures
Some important places to get started are reducing the concentration of privilege in the build automation tools and ensuring that code repositories do not expose secrets. Currently, GitHub boasts a userbase of 28 million developers.
Its largely searchable code repositories are a noted security risk amongst teams. For example, Uber’s infamous data breach in 2016 served as an all too painful reminder of this aspect of the platform. When hackers broke into the company’s source code repository on GitHub, they were able to launch and open up infrastructure attacks on a worldwide scale. With the personal data of seven million drivers and 50 million customers compromised, the fallout was significant not only for Uber, but also for the wider data security ecosystem.
Adopt a formal system for securing secrets and credentials
Instead of struggling to consistently control and monitor secrets dispersed across multiple DevOps tools, a better approach to reducing risk and saving time is to implement a centralised secrets management system. The centralised secrets management platform can then be used to ensure users, whether human or machine, don’t see the actual credentials.
Revise processes for application testing
With DevOps teams making multiple releases per day, security needs to implement new, automated approaches to avoid slowing the launch process down. For example, security can develop automated, updated processes, such as a ‘break the build’ approach.
Evaluate the impact
In most cases, improving the security of DevOps environments happens through incremental advances. Teams should highlight each success and then build and expand from them. For example, organisations can use metrics to show how much of the attack surface has been addressed and how effective controls are in defending against both internal and external attackers.
Continuously revising and piloting new approaches to testing are ultimately necessary to embed security within DevOps strategies. Development teams need to be trained in order to improve their security awareness and determine how they can best work with security teams.
At the same time, security personnel will benefit from learning how their role fits within the wider DevOps ecosystem. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.