DevOps has made it possible to develop applications in a far quicker time through a collaborative environment between the development, testing, and operations teams to achieve continuous delivery. DevOps tools include several focus areas, including automated provisioning, continuous integration, continuous monitoring, and test-driven development. However, in most cases, security is not integrated into the development process, and it is therefore vulnerable to threats and bugs.
This is where DevSecOps approach comes in. It incorporates security as a significant component of DevOps practices and involves the continuous integration of the security components within the same DevOps process. As an extension of the DevOps mindset, DevSecOps is the methodology of integrating security (practices/tools) within the DevOps process in an automated fashion.
DevSecOps helps in integrating security into every step of the software development lifecycle.
Typical DevOps process
A typical DevOps process starts with a developer writing code and pushing it to a central code repository. The CI/CD server then pulls the code from the code repository, packages the build artifacts, and does a round of testing. These artifacts are then deployed back into staging, another round of testing is done, and then deployed to production servers that are spun up using Docker. Finally, you may also have a monitoring setup to monitor the service uptime regularly.
What about security?
In a typical DevOps cycle, security is often added towards the end through a manual/automated process. Once the application is running in the production or staging environment, a test is scheduled. Imagine a scenario where a production application is tested and a high-risk vulnerability, like a SQL injection, is discovered. In such a scenario, the team will fix the issue but have to run the entire DevOps pipeline to fix this single SQL injection vulnerability.
Challenges of DevOps without security
- There is a high-risk factor because a bug/issue is found in production and could be exploited.
- Since the code has been deployed, resources such as CPU, memory, storage, and networking are consumed. Due to this, the costs of fixing a bug or vulnerability are high.
- The speed of delivery may also be impacted because the code must go through the entire pipeline again.
What if we bring security a little closer to the development cycle by embedding security within the same DevOps pipeline? The SQL injection in the example above could have been discovered easily at an early stage with the help of a source code scanner and fixed even before packaging the artifacts.
Benefits of DevSecOps
- Costs redcution by uncovering and fixing security issues further left in the development lifecycle versus in production environments.
- Speed of product delivery is increased by incorporating automated security tests as compared to doing security testing at the end of the lifecycle.
Fig b. Fixing security issues further left in the development lifecycle versus in production environments
Integrate security into every stage of the SDLC
DevSecOps enables shifting left and helps to integrate security into every step of the SDLC (software development lifecycle). New exploits and CVEs (Common Vulnerabilities and Exposures) come out every day, so it is crucial to continuously run your applications through the following steps to find issues and find ways to mitigate them.
Common issues — and the methods to mitigate them are:
- Not exposing sensitive data to SCM like Git
- Checking Code Quality (code coverage, code smells) before building
- Checking dependency versions (no outdated modules with CRITICAL/HIGH-level vulnerabilities)
- Securing API interfaces (within Microservices interactions, it is mostly about APIs)
- When it comes to containers,
- Not pulling Docker images from DockerHub without knowing who built it or what its vulnerabilities are
- Not running containers as ROOT
- Using only the latest images
- Ensuring runtime security by continuous monitoring your apps to prevent threats
- Ensuring Cluster/Infrastructure security
Fig c. Security at different stages
Security at different stages
- Add pre-commit/publish hooks on the developer workstation so that when the developer tries to push/commit the code to SCM, it runs tests to check for any sensitive data and denies the commit/push
- On the SCM side, to store secrets/configs, encrypt them or make use of a Secret Vault.
- On the Testing side, run the regular UNIT Tests, followed by Mutation Tests to test the unit tests and static code analysis to see the code coverage, code smells, code duplication, and code quality.
- Before building or during the build phase, test the dependency used in the application of vulnerabilities. For building Docker/Container Images, scan images, add image signature, and scan Dockerfile to weed out any wrong configurations.
- During the Deploy/Staging Step, validate the image signature, which was added in the previous step to ensure that you are running the correct image, followed by running integration tests.
- Before the production stage, run DAST (Dynamic Application Security Testing) for interface security testing and do infrastructure compliance scans, validate runtime configs, and then run/deploy the app.
- We need to monitor both the application logs and the security logs, to analyze and mitigate any real-time issues.
- As far as security is concerned w.r.t to Kubernetes, there are many things to consider, such as RBAC rules, SELinux, AppArmor, network policies, mTLS, auditing.
Choosing DevSecOps approach
Implementing DevSecOps can reduce application vulnerabilities and budget overrun by automating security at every phase of the SDLC. An organization/team/project might face initial setbacks when they first begin the DevSecOps journey w.r.t to tool integrations and lack of knowledge. For example, DevOps tools come from various vendors, and adding security tools will increase CI/CD complexity. We may also need to educate developers and DevOps teams on application security best practices. In the long run, however, an organization/team/project will be able to deliver more secure code faster by adopting DevSecOps.