In recent years, IT companies have been turning to a DevOps approach to software development. While DevOps provides faster software delivery with increased code quality, security issues are still left behind at most companies. One reason for this is that the traditional approach to integrating security practices into DevOps resulted in lengthy security compliance and rework. So how can companies integrate security into DevOps practices without slowing down their business processes?
In this article, we show you the benefits of adding security to DevOps and the best practices of delivering DevSecOps in the AWS cloud.
DevOps is a combination of tools, practices, and cultural philosophies that allow IT companies to reduce the time needed for software development. This is achieved by breaking down the traditional barriers between development, testing, and operations. DevOps practices include automation and monitoring at all stages of software development, allowing companies to achieve continuous integration (CI) and continuous delivery (CD) of their software, thus saving time and money for solutions vendors.
However, today it’s not enough for IT companies just to implement faster and more innovative ways of software development. A high level of software security is also a challenge that vendors should meet in order to survive on the fast-developing IT market.
Traditionally, information security is handled at the last stages of the software development cycle and results in detecting security flaws that need to be eliminated under strict time limits. As a result, release teams sometimes neglect the recommendations of their security specialists in order to meet delivery deadlines.
However, lack of software security puts at risk the consumers who finally buy these products together with the vendor’s reputation.
Nowadays, we’re seeing a significant increase in the number of cyber attacks; it doesn’t matter how fast your continuous delivery cycle is if you’re releasing software with vulnerabilities.
Fortunately, we have DevSecOps: a new mindset where security is a shared responsibility so both developers and IT operations specialists keep security requirements in mind. This approach implements continuous and automated security at the early stages of software development and ensures it throughout the whole cycle. As a result, companies can expose and remediate flaws early on during the testing phase and thus reduce the time and cost of rework.
In DevSecOps, security is no longer the function of a separate department but is an integral part of team culture and practices. Though it requires team restructuring and training as well as tools for security check automation, it lets companies finally break down the barriers between DevOps and security architects to gain many other benefits.
By integrating security into your DevOps team, your company can see the following improvements:
- Reduced costs: Continuous security will save you money on rework as your team can detect and fix security issues during the development and testing phases.
- Improved software security: Implementing security at the earliest phases of development leads to more secure software in the end.
- Increased speed of recovery: Recover faster by using templates and the pet/cattle methodology when responding to security incidents.
- Increased speed of delivery: Deliver faster by continuously eliminating security bottlenecks.
- Reduced time for security checks: There’s no need for security checks right before release as security issues are fixed during development and testing.
- Better customer value: Customers will prefer your software to others if you can provide secure, iterative innovation at speed and scale.
To summarize these benefits, DevSecOps allows you to spend more time adding customer value and less time and money fixing vulnerabilities that are identified late in the delivery process or during product use.
According to a recent survey conducted by Gartner, an increasing number of companies realize the need to integrate security into DevOps practices. Gartner also predicts that more than 50 percent of DevOps initiatives will implement software security testing for custom code by 2019, while DevSecOps will be embedded into 80 percent of rapid development teams by 2021.
The main task of DevSecOps is to ensure secure coding practices in the early stages of the software development lifecycle (SDLC). A secure SDLC must be incorporated as a disciplined practice. While automation is required, DevSecOps is not only about this. First of all, developers and operations specialists should be trained to understand a hacker’s logic and know how to prevent attacks with security measures. Only after that can they properly use tools that are designed to discover flaws and ensure security during development and testing.
If you want to integrate security into your DevOps team, the first step is changing the culture.
- Build a knowledge base: Train developers and quality testers to ensure that they know basic principles of secure coding and security testing and thus can take responsibility for meeting security requirements.
- Promote openness: Now is the right time to put an end to any organizational barriers between the DevOps and security departments by encouraging them to openly communicate and collaborate. Make sure that security metrics and dashboards are transparent and available to developers so they can apply them to check code quality.
- Create security champions: Hire professional security officers who understand security within traditional DevOps teams and can coach your team to ensure that they’re security-conscious during the transition to DevSecOps. Security champions should be aware of industry best practices and be involved in DevSecOps consulting on how to adapt security for software development.
These practices are aimed to share security responsibility among all members of the DevSecOps team and increase their security awareness to improve software quality. Don’t expect to change your organization’s mindset overnight. This process will require a certain amount of time, effort, and patience.
1. Security measures during software planning
The main goal of DevSecOps is to ensure that security is implemented from the very beginning of software development. Thus, potential security issues should be taken into consideration at the software planning stage. In addition to product features, DevSecOps projects should also include information about security requirements, acceptance test criteria, and threat models.
During this stage, you can use a simple threat modelling and risk assessment tool to understand your application’s level of risk. You may require building a deeper threat model if your application will use sensitive data or access the internet directly. Moreover, if you apply any data for application testing, think about how you’ll anonymize data to avoid privacy issues.
2. Security measures during software development
At the development stage, DevSecOps requires following principles of secure coding and reviewing software design and code. However, all tests and checks should be performed without slowing down the development process.
You also need to integrate automated dynamic and static code testing that can detect security vulnerabilities before software is released. These autonomous scans don’t require the intervention of security officers and can provide results directly to a bug tracking system. As an alternative to these tests, you can let developers use lightweight tools for quick code scanning within their integrated development environments.
Make automated scanning and security test software an integral part of the continuous integration test toolchain.
Though autonomous testing can significantly reduce security flaws, there’s still a risk of vulnerabilities. Best practices show that it’s almost impossible to eliminate all code bugs, so security measures should go beyond the development stage and check code even when software is already deployed in the production environment.
3. Security scanning of open-source software and system images
Moreover, DevSecOps practitioners should secure their code by securing their environments. While developers frequently use open-source applications and pre-built libraries, containers, and frameworks, they need to eliminate any known critical vulnerabilities in these components before using them for development or testing.
In addition, you need to check all content of all system images for vulnerabilities, including Amazon Machine Images, virtual machines, containers, other software, and the operating system. Continuous integration should include scans that ensure that all settings for the operating system and application platform are configured in compliance with security best practices.
While containers use a common operating system, any attacks on them may result in compromising your container. Thus, the best practice is to use containers on workloads of similar trust levels. However, for stronger isolation it’s better to use hypervisors or physical separation.
4. Treating security infrastructure as sensitive code
While DevOps works with programmable infrastructure that’s considered infrastructure as code, security measures should also be adjusted to this principle. Secure coding principles should apply to automatic configuration that includes scripts, templates, recipes, and blueprints. Moreover, configuration files should be scanned for vulnerabilities and risks like embedded credentials, API keys, encryption keys, and data encryption.
Security automation is extremely important during the whole software development process because automation reduces the risk of human mistakes and misunderstandings while minimizing the need for security officers to intervene since all monitoring, protection, and testing measures are exposed programmatically.
Amazon Web Services (AWS), like other cloud-based providers, allow companies to automatically and transparently apply security checks and controls during the development cycle.
AWS virtual infrastructure includes a set of tools aimed at automating code testing and in particular applying security checks during the whole process of code development and quality assurance.
AWS supposes shared responsibility for security, so DevSecOps teams should get familiar with AWS security best practices. While AWS ensures the security of infrastructure and services, DevSecOps should assure the security of operating systems, data, and platforms.
DevSecOps on AWS can use the following services and tools:
For defining security roles, DevSecOps teams can use the AWS Identity and Access Management service, which clearly shows what each member is responsible for in a product change. It isn’t only for limiting capabilities but moreover is for ensuring security during work on the project. Moreover, it’s easy to verify who implements changes by using audit logs and configuration repositories like Git or AWS CodeCommit.
AWS Key Management Services (KMS) are useful for creating and managing the encryption keys necessary for data protection. Moreover, KMS also uses validated hardware security modules to ensure the security of your keys.
Security in the CI/CD pipeline is achieved thanks to the following tools and services for automated security testing and code analysis:
AWS CodePipeline is an effective service for continuous integration and continuous delivery that allows DevOps to automate preventive and detective security controls.
AWS CloudFormation lets you use a simple text to describe and provision infrastructure resources in an automated and secure manner. Using this service, DevSecOps practitioners can create a secure template of the demo pipeline.
In addition, AWS Lambda is designed to perform static code analysis of the CloudFormation template as well as to conduct dynamic stack validation for security groups in the scope.
AWS services for security automation are useful for automating incident response, remediation, and forensics.
AWS allows security officers to easily monitor user activity in the cloud and be aware of suspicious activities and events. For these purposes, they can use data generated by AWS CloudWatch Logs and CloudWatch Events.
AWS CloudTrail can monitor calls made to the CloudWatch Events API for an AWS account. With CloudTrail, security officers can quickly respond to suspicious activities.
AWS CodeCommit is a managed version control service that hosts private Git repositories in the AWS cloud. To use this service, DevSecOps teams need to configure their Git client to communicate with AWS CodeCommit repositories.
Moreover, the Amazon Virtual Private Cloud (VPC) lets you create private clouds within the AWS public cloud. This service provides not only isolation from other customers in the private cloud but provides Layer 3 (Network Layer IP routing) isolation from the internet as well.
DevOps is an effective approach for improving software engineering and maintenance processes, but companies can benefit from its full potential only after integrating security into this practice.
Implementing DevSecOps using AWS is a complex task, because traditional security methods slow down the software development cycle. Following the best practices of integrating security into DevOps will help you successfully overcome this challenge.
Apriorit has experience establishing secure DevOps processes for a number of cloud solution vendors (see our case study about SaaS growth and CI/CD process support). We would be glad to assist you in developing secure solutions on AWS infrastructure.