To some, DevOps is yet another example but as you learn more about this practice, you’ll discover how it’s really a new and efficient approach toward delivering software solutions.
DevOps is a shift in mindset toward better communication and bringing disparate teams, processes, and technologies together to solve problems for your organization. As you incorporate security practices throughout the lifecycle, DevOps becomes a critical component to effectively protecting IT assets across the enterprise. Read on to learn about how security considerations work into DevOps processes.
DevOps and Security
Though it goes by many names such as Security DevOps, DevSecOps, or just DevOps, the overall goal is to break down barriers between previously siloed teams made up of Development, Testing, and Operations.
In the traditional software development lifecycle, the Security team is forced to act as a proverbial wet blanket. They come in during implementation to restrict port and data access after development is completed to lock down the operating environment. The net impact of implementing these security changes this late in the lifecycle often results in expensive application rewrites, environment redesigns, and reconfigurations since functionality tends to break when security considerations are included as an afterthought.
Incorporating security practices from the beginning of the software development lifecycle results in higher quality and more secure solutions. But it does require a gradual shift in company culture to place the responsibility of security on everyone, not just a select few.
Security from the start begins before development, in the ideation stage. Once an idea has formed and plans begin, it is important to include the security team in early conversations so that they can ask some seemingly simple questions, such as:
- What is the application going to do?
- Why build it?
- What are the security requirements?
- What are the required data points?
- Is PII required?
- What programming language(s) will be used?
- What external modules and dependencies are required?
Knowing the answers to these important questions facilitates development of security-centric requirements that more closely align with application requirements. These conversations should start in the boardroom with the decision makers asking and being asked questions based on key security considerations.
Security in Development
In DevOps, once development has been approved and requirements have been created, there are a few security processes that should be implemented to align with best practices.
Create a repository for third-party modules and external dependencies.
Scan this repository at regular intervals and each time the application is updated. This helps prevents malicious actors from impacting your application throughout the lifecycle.
Implement a process for regular code reviews.
Code reviews and scans for both quality and security should become a regular part of the software development process to minimize the likelihood of costly and time-consuming rewrites.
Implement static code analysis tools.
Use static code analyzers such as Fortify by Micro Focus during the development and testing cycle to ensure that the application remains secure. These tools scan the binaries after compile time while testing the application for security vulnerabilities.
Learn more about how our DevOps approaches enable a 99% success rate during production releases.
Security in Testing
Including security from the beginning does not just involve the Development and Security teams. DevOps includes both the Testing and Operations groups as well.
Implement thorough automatic and manual testing activities.
Supplementing automated testing where possible with established manual security testing processes verifies and validates that quality solutions persist throughout. Thorough testing activities should test the application, its security measures, and its overall environment. Environment testing will include penetration testing, back-up and restore procedures, and environment security verification.
Security in Operations
Operations should also be involved in testing and development activities since they will be building the environment using infrastructure as code to help develop a centrally managed, automated application with service configuration management.
Collaborate with both developers and the security team.
Operations must discuss the requirements with the developers when architecting the environment for a new application to understand the operational considerations. Adding security requirements into the mix makes this no different. The Operations team must review and discuss security and development requirements before designing the environments for the new application to ensure appropriate measures are in place to validate the requirements are met. The effort and potential errors in designing the new environment can be greatly reduced by using infrastructure as code methodologies/tools. (Stay tuned for our upcoming blog articles on Ansible and Ansible Tower.)
DevOps, Security, and Containers
If you are using containers (and you cannot talk about DevOps without discussing containers due to their agility and growing popularity) you need to consider some additional factors. For later convenience, try using a supported container management platform such as Red Hat OpenShift.
Instead of trusting internet containers or building your own, create a container image repository to allow security scans and thorough testing before consuming the containers for the environment. This resembles the developers’ code dependency and module repository mentioned earlier. Storing container images in a repository to thoroughly scan and test allows large portions of the architecture to be validated before use.
DevSecOps is a gradual mindset shift that requires planning, communication, and stakeholder involvement to be successful. It takes time to introduce these changes, get all the team members onboard, and design platforms and applications with security in mind. Just remember that all teams contribute to the overall solution through principles such as developing with security in mind, testing the security (both infrastructure and applications), and designing the environment with both application and security requirements from the beginning.
Organizations must choose to make an investment in training and refocusing of responsibilities when implementing Security DevOps. It requires the commitment of management to implement the process. However, the net results will facilitate closer collaboration in solving problems across the organization and result in higher quality applications.
AEM is a leader in implementing DevOps processes to improve application quality while making development more efficient and secure. Learn more about our approaches with our DevOps Service Catalogue.