5 tips for secure DevOps

The decoupling between DevOps and IT security that often exists today is no longer sustainable. Companies need a new approach for closely integrate both aspects. Read how this works.

DevOps and IT security used to be split into different organizational pillars. That no longer works today. Companies cannot avoid tearing down the barriers between the two areas. This is the only way to promote mutual trust and the common interests of secure, agile IT operations. After all, no one can seriously have an interest in using DevOps practices to allow a kind of “state within a state” within their own organization that undermines the information security of an entire company.

Below are the top five aspects to work on to establish security in DevOps practice to achieve DevSecOps (secure DevOps).

1. Take advantage of the deployment pipeline.
Among the fundamentals of DevOps, the concept is the continuous delivery of enhancements and associated automation tools. This interconnected toolkit of tools for developing, integrating, testing, deploying, and monitoring code across the lifecycle is at the heart of an efficient and continuous integration and deployment process. Forrester analyst Amy DeMartine says IT security has a real opportunity if it takes advantage of this very pipeline to deploy security tools in a way that permanently improves security metrics.

This relates, for example, to the implementation of the continuous pipeline, which is the integration of specific units of code or applications into sprints. There needs to be an understanding that these sprints will be completed in time for IT security managers to comprehensively test them for security flaws before the code goes live.

Integrating security and quality testing early in the development process is a critical action when it comes to application security best practices. This is where the security team can make a big difference by helping to plan where and how tests and security gates can be inserted during the overall process without unnecessarily slowing down the desired fast pace of DevOps software delivery.

2. Standardize software and keep it up-to-date
Heartbleed, Shellshock, and DROWN are just a few of the best-known software vulnerabilities that have rocked the world in recent years. They are the perfect examples of how third-party components in supposedly innocuous enterprise software and web assets can put any business at risk.

DevOps has further accelerated the dependence of IT vendors and developers on third-party software components. That’s because agile development teams are always looking for ways to develop software even more efficiently without having to reinvent the wheel. But for development teams to provide truly robust and secure DevOps patterns, there also needs to be a secure way to integrate these third-party components. A good option for this is to maintain a standardized and validated component library and always update it as new versions become available. The number of versions available in these libraries should be kept as low as possible.

3. Standardize tools and processes
Often, DevOps processes proliferate organically in different areas of an organization like a neglected garden. The danger here is that security efforts remain haphazard or spotty and are only followed up on at irregular intervals. Each department starts to do things its own way and chooses its own individual testing tools and methods.

What then happens is that those involved speak different languages and communication gets bogged down. It’s true that different teams may occasionally need to use different toolsets as they work with different cloud infrastructures, development languages, and platforms. But whenever possible, organizations should strive for standardization at this point.

4. Monitoring with automated audit logs
Contrary to many fears of security specialists, DevOps does not necessarily mean that a Wild West mentality will take hold. There are ways to introduce separation of duties to keep track of who is touching what. To do this, stakeholders just need to leverage the capabilities of automated systems that can help manage the continuous delivery pipeline.

Although in many cases the old methods of introducing security clearances have unfortunately fallen by the wayside, one advantage of all these newer tools should not be overlooked: They generate audit trails. Such trails can include automated security alerts within the production environment. They can be used to detect when intrusions and security incidents occur. Teams could also prioritize sensitive systems for security clearances, for example. In addition, it is left to the system to roll out code automatically. This means that only the tools can allocate the exact IT resources.

These trails can be used by the IT security team to detect anomalies or understand where something may be going wrong. Anomaly detection can provide meaningful information about whether outsiders or employees are laying a hand on systems they would be better off leaving untouched.

5. Make IT security palatable to developers
Security specialists should look less for gentle ways to tell developers how to develop more securely and more efficient ways to help developers with their complicated, high-pressure work.

It’s easy for a security professional to spot a poor security practice. The temptation is to immediately name shortcomings in a way that hurts egos. But that doesn’t get a company anywhere. Instead, as a security leader, you should consciously opt for the carrot approach, where secure code and robust design receive praise and recognition. Again, technology can help by ensuring that security tools are tuned to provide secured components for reuse and automate everything that can be automated for them.

Conclusion: DevOpsSec are achievable
The DevOps concept for powerful, high-performance enterprise IT deserves full support from IT security. However, it is unlikely to receive this overnight. It helps to think of the approach of different IT organizations working together productively as a kind of migration project: From DevOps to DevOpsSec, an organizational evolution for secure and agile IT.