DevOps is becoming the go-to methodology for building apps fast. But fast doesn’t mean more secure. Enter DevSecOps.
There is a lot of talk about how security needs to be an integral part of any project from the ground up. DevOps in general has seen a growing adoption rate across the enterprise, and Gartner says that over 50 percent of enterprises are using DevOps now. With the growing rate in adoption, which is seeing development and operational teams working together for more frequent and effective releases, it doesn’t really make sense to leave security as an afterthought. With DevSecOps, security teams now work in collaboration with everyone else rather than as a separate entity, which in some cases can be the main challenge.
Turning DevOps into DevSecOps isn’t as simple as adding a security team. It entails adding security as part of every team and process. When security functions as an outside entity, the disadvantage is that everyone’s already done their job by the time a security threat is discovered, and with the pressure to meet deadlines, patching is preferred to having to rewrite thousands of lines of code. When security is an integral part of the process right from step one, any vulnerabilities can be addressed as soon as they are detected during the course of the work flow.
Security automation everywhere
DevOps teams love automation, and that’s evident with the rapid growth of serverless computing across the enterprise. DevOps is all about having the agility and freedom that comes from cutting out the red tape and paperwork that separates the two departments from working as a single cohesive unit. With the increase in cyber threats and advanced DDoS attacks like the ones we witnessed last year, enterprises are now working toward including security as part of that cohesive functioning unit rather than the archaic process of chucking a release at the security team. The fact that security is not yet an integral part of DevOps processes is quite surprising since a security breach is the worst thing that could possibly happen to your brand-new application.
To automate security to a point where you don’t have to worry about patching broken code and fixing bugs that could be exploited, security needs to be implemented at every stage of your DevOps workflow. With DevSecOps, your developers are not just responsible for functionality and performance, but also for security defects. The enterprise in general has realized that leaving security for the end of the cycle is just asking for trouble, and a lot of effort is going into security integration at every level.
Automated security means automating most of your tests and processes so that there is less risk of security breaches due to human error, and more chance of pinpointing and fixing breaches when they do occur. StackStorm is a great platform that is built from the ground up with automation in mind. It helps integrate security at every level through event-driven automation. Some of its popular features are auto-remediation, security responses, facilitated troubleshooting, and complex deployments. In this way, if security and compliance controls are an integral part of the DevOps process, an effective security layer that runs through the entire workflow is created.
A cloud over security
The affinity for DevOps teams to take to the cloud, however, creates new complications for security teams because conventional security measures mostly pertain to on-premise infrastructure. Security in the cloud is another thing altogether, and with servers now being nothing more than a line of script, security personnel need to change their approach completely or risk becoming irrelevant. This is where security teams need to move away from the traditional patching and update processes to learning code like Python that can help them tame this new environment. The capabilities with regards to securing infrastructure that the cloud provides, such as on-demand scaling, micro-perimeter security controls, and per-resource granular security policies, make it a perfect platform for DevSecOps, and too good an offer to pass up.
When you think about DevOps and how it involves continuous integration and delivery, what DevSecOps is all about in essence is continuous monitoring, and the cloud is a great place to do that. Visualization is one of the most important elements of monitoring, and dashboard tools such as Kibana and Grafana make it possible to visualize important metrics and even make predictions. AWS has integrated its CloudWatch monitoring service with all its other services along with the option to integrate external monitoring service for advanced predictive analytics.
Sampling of DevSecOps tools
SumoLogic is one of the tools that can be integrated with AWS CloudWatch. It uses machine-generated big data to deliver real time IT analysis. The company’s cloud-based service provides customers with real-time interactive analytics at an unprecedented petabyte scale. Unlike expensive on-premise solutions, Sumo Logic has a low TCO, can be deployed instantly, scales elastically, and requires zero maintenance.
Splunk is another platform that is commonly used to analyze machine data. Splunk captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations.
PagerDuty is an incident-resolution platform with an API that can be integrated with a wide variety of other tools. Apart from automating the process of incident response, customers can also create custom reports and dashboards, and create status pages to let customers and internal stakeholders know about incidents. PhoneDuty is a web application that queries PagerDuty to find the on-call engineer, and it forwards the inbound call to him.
Slack is a collaboration software that allows teams to work together and stay on the same page. What it does is allow different teams to not only use the same tools but also have conversations in real time and in the same space. When you add an intelligent ChatBot to the mix that can call out to services, APIs or servers, you are now in ChatOps territory, which is all about using your team’s chat to control your technical infrastructure. The term ChatOps was coined by GitHub in 2013 with the creation of Hubot, its open-source chatbot to help with DevOps practices. Hubot is a customizable chatbot that can ship code, act as an interface to a CI server, and announce deployments all within a chat window. Pager Huety is another fun tool that allows you to rig a bulb to flash whenever an open incident is assigned to you.
Future of DevOps
Today, only 20 percent of DevOps initiatives include security throughout the development cycle. This number is surprising considering how important security in a multi-tenant environment is. One security breach could affect hundreds of thousands of customers. This year is going to see a lot more DevOps teams integrating security into their operations with modern incident management tools like Slack and PagerDuty. The transition from DevOps to DevSecOps is going to be more about security teams evolving and integrating their practices to a point where everyone owns security and compliance. Security is also all about the right people being available at the right time, and automated rules that can notify them as soon as a breach occur is important.
DevSecOps is the logical next step after DevOps, and anyone who thinks security isn’t an important part of the entire development process is probably going to get a wake-up call -- literally -- in the middle of the night in the form of a security breach.