This is the second of a new five-part series of articles developed by TAG Cyber in conjunction with Sicura to offer insights and guidance into modern DevOps security using automated and integrated support.
A major challenge in modern DevOps environments is the desire for software processes to be more agile and flexible, while also being more secure. On the surface, one might presume that the only reasonable way to make the software development lifecycle more secure would be to slow things down and to introduce manual tasks such as reviews, scans, and tests to the pipeline of activity. The good news is that automation provides a more effective alternative.
In this article, we explain the key role that automation plays in modern DevOps security (which we will refer to as DevSecOps). In particular, we focus on three key security benefits that come from reliance on an automated platform to reduce cyber threats during the DevOps process. These benefits include support for continuous operation, broad coverage, and streamlined workflow.
The traditional view of software development lifecycle (SDLC) security involved a conceptual model that would move from concept-to-deployment in a mostly linear fashion. Some software processes continue to operate in this manner, but this only works in cases where the output is likely to remain stable. Certain embedded systems, for example, are built in ways that require slow, deliberate development without the ability to perform frequent updates.
The vast majority of SDLC scenarios, however, are best viewed in terms of a continuous and repeating cycle of DevOps tasks with integrated compliance actions. In these cases, the software is expected to undergo continual change and update during both pre- and post-delivery phases, and the development team is expected to keep up with the speed of delivery and the demand for continual security and compliance.
The only means for any DevOps team to maintain such continuous operation is through automation. Without mechanized coordination between servers and security tools, often assisted by agents and other embedded controls, the likelihood increases that vulnerabilities might be allowed to remain either in the software or in some aspect of the DevOps environment (see Figure 2-1).
Figure 2-1. Automated Security for Continuous Operation
Without automated support, it is likely that security tasks required during some phase of the DevOps lifecycle would experience time gaps. Security validation testing, for example, is best performed in the context of an automated platform that can ensure on-going and continuous operation. Bad actors try to find and exploit seams in security coverage, so this method improves overall cyber risk posture.
An additional security issue that emerges during DevOps involves the challenge of ensuring coverage across all of the functional components, programming tasks, SDLC tools, and other SDLC assets. Such coverage can stretch across a wide swath of resources during pre-delivery code development and post-delivery deployment, operations, and use. Ensuring security and compliance across this range can be a challenge.
As with continuous operation, the coverage challenge cannot be easily addressed using manual processes. DevOps processes are so broad and expansive, that automation is the only means to ensure that no seams emerge in coverage. Areas of DevOps that require security coverage using an automated platform include the following:
- DevOps Tools and Platforms – These include commercial and open-source tools and platforms for pre- and post-delivery support of code.
- Source and Version Control – DevOps processes increase the velocity and frequency of new software versions being delivered.
- Scanning and Testing – Security requirements demand that code be frequently scanned and tested for vulnerabilities during DevOps.
- Build Process and Infrastructure – An advantage of DevOps is the streamlined software build process and supporting infrastructure.
- Secrets Management – The management and protection of secrets, including credentials and entitlements, is a critical requirement in DevOps.
- Infrastructure as Code (IaC) – An important innovation in software development is the use of infrastructure as code (IoC) to define repeatable state for DevOps.
- Containers and Orchestration – Modern application design involves containers that are orchestrated, managed, and secured using tools such as Kubernetes.
These tasks, which are by no means even a complete list of all desired and required aspects of the DevOps process, are only reasonably addressed using automation that can drive coverage and integrate with day-to-day support and planning. Such automation also obviously helps during compliance and regulatory tasks, especially if platforms can be integrated into governance, risk, and compliance (GRC) tools and systems.
A third driving force behind the need for automation includes support for the workflow management that underlies DevOps process execution. Automation not only reduces the likelihood for human error, but also streamlines the day-to-day workflow process by avoiding duplicate management tasks and removing manual bottlenecks that can slow down the software development lifecycle.
Figure 2-2. Automated Security for Streamlined Workflow
One aspect of modern DevOps workflow that is difficult to represent in a diagram is the naturally interleaving of tasks. For instance, the left-to-right flow shown in Figure 2-2 implies a straightforward ordering of events from development to production. In practice, however, most of these actions occur in parallel or in arbitrary order – and this also underscores the need for automation to support the overall workflow system.
By Edward Amoroso, TAG Cyber CEO
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights and recommendations to security solution providers and Fortune 100 enterprises. Founded in 2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-for-play research by offering in-depth research, market analysis, consulting, and personalized content based on hundreds of engagements with clients and non-clients alike—all from a former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein.
Next week we'll be back with Part 3 of the TAG Cyber Sicura series. Interested in learning how can Sicura can make your environment more secure and your DevOps team more efficient? Get in touch.