DevOps: Bloody hell, we've got to think about security too! Sigh. Who wants coffee?
How to bake in security to DevSecOps, er SecDevOps ...
Define, measure...adjust, refine
For this reason, some dev teams start by defining the process, perform a manual execution at first, then adjust, measure and refine, and only when they are sure it is delivering the right results do they move on to automating it. It may also be a good idea to train up your developers on secure coding principles and how they can be best applied, but Carlson says that this is only part of the solution.
“That puts an undue burden on the developer to know everything that could happen from a security point of view in what they are building, and that’s tough,” he said.
This is especially so when you consider that most applications and services are actually assembled from existing components rather than built from scratch.
Developers take Java or PHP as an application execution framework, then import open source libraries to fulfil functions such as visual graphics or data processing, so as little as 5 per cent of an application may be custom code.
“Who is assessing the 95 per cent of third-party code you’re using? You often don’t have access to the source code, and even if you do, who is going to review a million lines of code in the Apache Web Server? That’s why you need to integrate vulnerability scanning tools like ours into the dev process, the QA process, the ops process, without them knowing that they are using security tools, so they don’t have to be security experts,” Carlson said.
That said, part of the cultural transformation process is not just getting developers, ops and security to work more closely together as a broader team, but getting everyone to take equal accountability for defects, whether they are functional defects, quality defects or security defects, he added. Otherwise, it is too easy for developers to simply throw security issues over the wall to the security team instead of getting on and fixing them.
“Common security attacks like SQL injection and cross-site scripting are input validation errors that developers fix as a matter of course, but in organisations that have been successful in implementing DevSecOps or security into DevOps, you see a cultural transformation where they treat security defects the same way they do other defects”, Carlson said.
Oh GEEE (DPR)
One big worry for organisations is the EU’s GDPR legislation, which takes effect on May 25. Among various things, this includes new data-governance obligations covering privacy and protection of personal data, with hefty potential penalties for breaches. Many firms fear that they may be blamed if a breach is caused by insecure code or systems.
The good news here is that GDPR compliance is also about having the right processes and adopting a culture of privacy, and it seems that many of the processes that businesses need to put in place in order to deliver a successful DevSecOps strategy can actually help, according to Bursell.
“I think this is where, if you can show that you’ve got your governance in place, which includes GDPR requirements, and you’ve derived policies, and you’ve automated them and you’ve got your monitoring and you’ve got your auditing, then you’ve gone a good way towards being able to show that you meet GDPR compliance,” he said.
“Any auditors that come in are going to want it demonstrated to them that the policies you have shown them on paper or on screen are baked in and can be tallied with artefacts from your process, which is why you need the auditing and the monitoring,” he explained.
So there you have it. Security is a non-trivial issue, but good security practices as part of a DevOps strategy are no more difficult than for traditional waterfall development. Rather, the processes and cultural transformation that you need to deliver a successful DevOps strategy also make it easier to deliver better security compliance by design as well. ®
* derived from over 4,000 penetrations and 10,000 + scans over the course of a year. From small biz to ents
We'll be covering DevOps at our Continuous Lifecycle London 2018 event. Full details right here.
Sponsored: Becoming a Pragmatic Security Leader