carloscastilla - Fotolia
Tips for a smooth DevSecOps transformation
DevSecOps is a natural progression of DevOps and spreads security responsibilities to other IT teams. Where to begin? Here are core concepts, helpful tools and ways to learn more.
Corporate IT infrastructure experiences rapid, fundamental changes with the evolution of cloud services and platforms. In 2020, the global pandemic forced an immediate adjustment in work patterns and project prioritization. These two factors mean that commercial and government organizations must consider a DevSecOps transformation to ensure continued security in the new era of remote work and hybrid infrastructures.
DevSecOps, a term that encompasses combined efforts of development, security and IT operations teams, is an advancement over DevOps. It makes all participants responsible for security practices and standards, not only the beleaguered cybersecurity team. More cybersecurity schools of thought espouse this notion, and DevSecOps provides the processes and tools to make this shift left a reality.
DevSecOps concepts to master
There are many ways to integrate security into development and operations for software. Threat modeling, shared threat intelligence, the principle of least privilege, automated testing and container isolation are core to a DevSecOps transformation.
Threat modeling is a way to optimize network security by thinking a step ahead of attackers. It identifies potential attack vectors and then maps countermeasures to mitigate expected threats to the system. For example, threat modeling can map out possible countermeasures for a denial-of-service attack.
Shared threat intelligence -- a principle of the DevSecOps manifesto -- means propagating what you know about a security threat across the industry and beyond. Look to industry and government initiatives, such as the U.S. Department of Homeland Security's Automated Indicator Sharing (AIS) and the ISAO Standards Organization, to participate.
Organizations enacting a DevSecOps transformation should adhere to the principle of least privilege as a best practice for all services and people that read, write or update data. Least privilege means they should only have permission to access what they need to complete the task, and nothing more. Expect some culture shock -- and loud complaints -- if developers and sys admins lose the kind of access to the corporate dev, test and production systems they had before the principle of least privilege was enforced.
Automated security testing should become part of the acceptance testing processes for software. These tests include input validation and ensuring that authentication and authorization steps work correctly. While automated testing can't replace an experienced QA tester, automation can work as a force multiplier for secure code.
DevOps organizations often adopt containers as a way to move code from development through test and into production rapidly and predictably. DevSecOps adopters should focus on containers' isolation. They should be designed without dependencies that make them a target for attackers. Containers are stateless and often encapsulate just one piece of the overall application. For example, application code in one container relies on the data in another. A flawed database container can, itself, become an attack vector, because the application containers that access the database become susceptible. Isolation is foundational for container security in DevSecOps.
DevSecOps tools to master
There are many tools for development, IT operations and security tasks, which means limitless possible combinations of tools that organizations can use. Here is a selection of major tools that can contribute to the shared development, security and operations goals of a DevSecOps transformation.
Red Hat Ansible Automation Platform. Ansible's Automation Platform includes Ansible Tower, Ansible Network Engine and Ansible Network Automation. DevSecOps teams can use these tools individually or together for agentless IT automation. Use Ansible Automation to define security rules for software development projects, for example.
Grafana. This open source analytics platform enables IT teams to create custom dashboards where they aggregate all relevant operational and security data for ops teams and other stakeholders. There are community-built dashboards available for a quick start, or organizations can create their own.
Kibana. For organizations that use Elasticsearch, Kibana is an open source tool that integrates up to thousands of log entries into a unified view of time series analytics, application monitoring and operational data.
ThreatModeler. This automated threat modeling platform comes in various editions, such as AppSec and Cloud. ThreatModeler analyzes data and relies on threat intelligence to automatically identify potential threats across the entire attack surface.
OWASP Threat Dragon. This open source tool creates system diagrams and features a rules engine to model and mitigate threats automatically. The device touts an easy-to-use interface and integration with other DevOps tools.
Chef InSpec. This tool from configuration management company Chef automates security tests to help ensure compliance with security and related requirements. Chef InSpec runs against containers, cloud APIs and even on-premises servers, making it a testing tool to consider for hybrid infrastructure.
Micro Focus Fortify. Fortify is an end-to-end application security platform with options for testing on-demand to cover the entire software development lifecycle. Micro Focus also offers Fortify on Demand, application security as a service that integrates static and dynamic application security testing with continuous monitoring of production applications.
GitLab. This software lifecycle tool tests every piece of code upon commit. By doing so, it enables developers to remediate security vulnerabilities during development, not as the last step before code ships to production. GitLab also provides a detailed dashboard that displays all detected code vulnerabilities.
Red Hat OpenShift. Based on Kubernetes, this platform supports the container build process with security features. It provides role-based access control, Security-Enhanced Linux (generally called SELinux) isolation and checks during the container build process.
Certifications and training for a DevSecOps transition
Corporate leadership is bound to ask what certifications are necessary for employees to succeed with a DevSecOps transformation. There are two schools of thought on certification: One will say that certification is unnecessary; the other champions an array of certification paths.
For organizations that pursue certification to complement their DevSecOps training, there are several options. The DevOps Institute offers its DevSecOps Engineering (DSOE) certification, and Practical-DevSecOps.com offers a Certified DevSecOps Professional (CDP) certification. DevSecOps certification from vendors is sparse, but watch for them to emerge as digital transformation efforts expand in response to COVID-19.
Look for a reputable training provider that offers practitioner-led classes that cover topics that fit with your DevSecOps transformation strategy. For example, SANS Institute offers SEC534: Secure DevOps: A Practical Introduction, and SEC540: Cloud Security and DevOps Automation; both courses could serve as foundational training for IT staff learning the ropes of DevSecOps.
In addition, expect just-in-time training. DevSecOps vendors have short online videos as part of their online documentation that can ease adoption, for example. If you have the staff or contractor budget, evaluate ways to create and publish DevSecOps training content internally through your organization's intranet or learning management system.
Beyond the development, security and operations teams, the compliance and risk management professionals, auditors and management stakeholders need training. Introduce them to DevSecOps concepts and the changes they can expect to see to the company's software delivery.