Best Practices of Agile DevOps Security

The need to rapidly distribute software using cloud environments, microservices, and containers has increased year by year, and discussions about the security role in agile development operations (DevOps) have also emerged.

At the DevOps Connect event at the 2018 RSA Conference, nearly 1,200 security personnel gathered to explore ways to embed security into the development pipeline. With an astonishing 81% adoption rate in the enterprise ecosystem, development and operation has become an attractive target for cyber criminals. The hijacking of the Tesla Cloud DevOps platform is an example of how such an environment must be incorporated into the company’s overall security strategy. To cover the ever-expanding attack interface, the development and maintenance field must be embedded with security.

Microservices and containers improve IT efficiency and speed up application distribution. However, the speed of adoption of these technologies exceeds the speed of development of security. Gartner's research report " Developing Security Operations: How to Seamlessly Integrate Security into Development Operations" shows that less than 20% of enterprise security teams collaborate on development operations teams, and the system actively integrates information security into their development operations Dimension project.

For example, one of the key functions of these technologies-the ability to start/shut down instantly, poses a huge security challenge to the enterprise.

Unfortunately, development and operation security, or DevSecOps, as mentioned by Gartner, is often not paid enough attention for the following reasons:

Most security personnel are unfamiliar with the commonly used tools in the development and operation pipeline; especially those related to their interoperability and automation functions.
Most security personnel do not know what a container is, let alone what are the unique security issues of a container.
Security is often viewed as opposed to development agility.
Today's security infrastructure is still built on hardware design, and hardware design often lags behind the concepts of software definition and programmability, which makes it difficult to integrate security control measures into the development and maintenance pipeline in an automated manner.

Although microservices and containers can bring many benefits, they also introduce some special new risks. Like other emerging technologies, microservices and containers do not take security into consideration from the beginning. In most enterprises, microservices and containers have not yet been incorporated into the overall enterprise security plan. Since it may have been deployed somewhere in the enterprise, these technologies should be used as part of the attack interface that needs to be protected.

The information security and development operations team can take the following steps to reduce the attack interface in these technical and development practice environments:

1. Strengthen the container

The underlying operating system should be well protected to prevent attacks on the container from affecting the physical host. For this, Linux has some ready-made security modules available.

2. Protect the development, operation and maintenance pipeline

Privileged management operations are applied throughout the development, operation and maintenance pipeline to ensure that only authorized users can access the environment, and to limit the lateral movement of hackers in the environment.

3. Vulnerability scanning

Perform a deep vulnerability scan on the container image before running.

4. Continuously monitor container images

Detect root privilege escalation, port scanning, reverse shell and other suspicious activities in containers and managed hosts at runtime to prevent exploit attacks and breakthroughs.

Finally, companies will continue to accelerate the use of microservices and containers to enhance business efficiency and agility. Correspondingly, hackers will use the attack interface to achieve their own goals. To protect the nascent layer in the IT stack, DevOps should collaborate with the information security team to implement best security practices early in the application development process.