Using DevSecOps to implement security automation can
improve the efficiency of R&D, O&M, and enhance application security.
Foreword
The term DevSecOps was first proposed by Gartner in 2012 and has gradually become a popular vocabulary since 2017. DevSecOps can be understood as the integration of security into the
DevOps process, with security as an important consideration in the entire development and operation process, and ultimately to achieve security throughout the entire life cycle of the application. Using DevSecOps to implement security automation can improve the efficiency of R&D, O&M, and enhance application security.
1. Definition of DevSecOps
1. Security O&M Evolution
Waterfall model
In 1970 Winston Royce (Winston Royce) proposed the famous "waterfall model". The activities of the software life cycle are defined as a number of phases connected in a fixed sequence.
Agile development
A new type of software development method that has gradually attracted wide attention since the 1990s. It takes the evolution of user needs as the core and adopts an iterative and step-by-step method for software development.
DevOps
The combination of development, operation and maintenance, and quality assurance has accelerated the construction and deployment of applications. DevOps has driven the development of
continuous integration/continuous delivery (CI/CD), developing applications around automated tool chains. Despite the automation of many processes, the focus on security has not always met the current trend of attacks and cyber threats.
DevSecOps
It advocates integrating security into the CI/CD process, eliminating manual testing and configuration processes, and supporting continuous deployment. The security team will participate in the entire development life cycle and work closely with the development, testing, and quality assurance teams.
2. DevSecOps Declaration
The first page of the DevSecOps website [1] lists nine declarations, which gives a high-level overview of the key content and implementation value of DevSecOps. They are:
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
API-based security service consumption is better than mandatory security control and document management (Consumable Security Services with APIs over Mandated Security Controls & Paperwork)
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Sharing threat intelligence is better than keeping information in our own hands (Shared Threat Intelligence over Keeping Info to Ourselves)
Compliance Operations over Clipboards & Checklists
3. Status of DevSecOps
Since the concept of DevSecOps was proposed, most of the cases are still in the theoretical and experimental stage, and there is a lack of relevant mature practice cases. American threat detection company Threat Stack[2] launched a questionnaire survey of more than 200 security, development, and operations professionals from large North American companies and SMEs. Survey results show:
62% of respondents said that
DevOps is not conducive to the implementation of security technology in products
57% of respondents believe that DevOps hinders security best practices
85% of the organizations surveyed believe that closing the gap between DevOps and security should be a major goal for enterprises
62% of developers and operations experts believe that integrating security into DevOps has become a top priority
2. DevSecOps model and best practices
DevSecOps can be graphically described as [3], with continuous monitoring and analysis as the core, rapid and agile iteration from development to operation. Secure service delivery begins with development, and the most effective DevSecOps program starts at the initial stage of the development process and continues to advance with the pipeline throughout its life cycle.
Gartner published a detailed analysis of the model in the DevSecOps: How to Seamlessly Integrate Security Into DevOps [4] report released in September 2016, and listed the corresponding best practices:
1. Safety control must be as programmable and automated as possible
The goal of the security architect is to automatically incorporate security controls throughout the entire life cycle without manual configuration. Security controls must be automated through the
DevOps tool chain.
2. Use IAM and role-based access control to provide separation of duties
As more and more new services or products repeat cycles in the DevSecOps iterative process, auditors and security architects hope to clearly distinguish the responsibilities of each member during the service development and deployment phase. The scope of the members' authority can be managed by linking with the existing IAM system, and different roles can be defined for the development stage, the pre-production stage and the online production stage.
3. Implement simple risk threat model analysis for all applications
Risk-based basic threat modeling should be standard best practice for DevSecOps. Starting with a simple questionnaire for developers, you can assess the risks of services or products at a higher level, which should be carried out through developer training, communication, and strengthening of security best practices in basic coding.
4. Scan custom codes, applications and APIs
When developers write code, it is recommended to use a lightweight code security scanning tool in the integrated development environment (IDE) to quickly check security, similar to the function of the spell checker.
Automatic scanning tools and security testing software should be part of the continuous integration (CI) testing tool chain.
5. Scan open source software
Many developers download code from open source software libraries such as Maven and GitHub. Developers often (intentionally or unintentionally) download known vulnerable open source components and frameworks.
6. Scan for vulnerabilities and configuration information
When creating and integrating packages, you should scan the entire contents of all images (virtual machine VMs, Amazon host images, containers, and similar components) to discover vulnerabilities in operating systems, application platforms, and commercial software. The configuration of the operating system and application platform should also be scanned according to the security configuration hardening guidelines of industry best practice standards.
7. Treat Scripts/Recipes/Templates/Layers as sensitive code
Under the concept of "infrastructure as code", the infrastructure is programmable and can be deployed and configured automatically. Therefore, the security infrastructure is also programmable. If the infrastructure is coded, the principles of secure coding must also be applied to Scripts/Recipes/Templates/Layers for configuration automation, and the security of the infrastructure code base must be guaranteed.
8. Assess system integrity and ensure configuration security
Regarding the best practices of DevSecOps in the production environment, first of all, we must ensure that the systems and services that are being loaded and running are indeed the expected versions, and the configuration is correct.
9. Use whitelists on production systems, including container implementations
To prevent intrusions, use whitelists to control executable programs that are allowed to run on the server. By default, all software that appears to be executed is blocked. The whitelist can be expanded to include network connections, user access, administrator access, file system access, middleware/PaaS access, and processes.
10. If it has been attacked by intrusion [5], it should be fully monitored to build a rapid detection and response
In an advanced and targeted attack scenario, perfect prevention is impossible. Workloads and services must be constantly monitored to discover abnormal behavior that may indicate that they have been compromised.
11. Lock in production infrastructure and services
Security architects should lock servers and infrastructure with IT operations and only allow changes using automated tools.
12. If using containers, please confirm and use safety restrictions
The containers share the same operating system platform. Successful intrusion at the Kernel level of the operating system will have an impact on all of the containers. Therefore, we recommend using containers only at the same level of trust.
13. The bottom line
DevSecOps aims to develop DevOps environments for rapid development. Security checks and controls should be applied automatically and transparently throughout the development and delivery of supporting IT services. Secure service delivery starts from development, and the most effective DevSecOps program starts from the earliest point in the development process and tracks the entire life cycle. In the long run, automate security controls as much as possible to reduce the possibility of misconfiguration, errors, and mismanagement.
3. DevSecOps focus
1. The difference between DevSecOps and traditional security
DevSecOps emphasizes that security is the responsibility of everyone in the entire IT team (including development, operation and maintenance, and security teams); penetrates security from multiple points into the entire development and operation and maintenance life cycle, and advances security considerations to the development link ; And integrate security into the process of developing and delivering IT services in a programmable and automated manner [6].
2. Nine key factors in DevSecOps practice
Larry Maccherone, Comcast's DevSecOps transformation expert, put forward nine key factors to practice DevSecOps
Nine practical elements of Maccherone DevSecOps, where "yellow belt" represents how to respond to common threats to maintain customers and brands, and "green belt" represents software, network, system administrators, and database administrators.
Among them, the security awareness, team work agreement, peer review and security assessment all emphasize the acceptance of DevSecOps by enterprise organizations and the security awareness in the entire corporate culture, which are important factors that affect the practice of DevSecOps. Technology can integrate security into the DevOps process, but people, processes, and culture can promote the normalization of DevSecOps.
