How DevOps Professionals Become Cyber Security Champions?

Security is a misunderstood element in DevOps. Breaking the information island and becoming an advocate of cybersecurity will have a beneficial impact on you, your career, and your business organization.

Security is a misunderstood element in DevOps. Some people think that it is not within the scope of DevOps' authority, while others think it is important enough (and often overlooked), so it is recommended that you use DevSecOps instead. However, no matter which party you agree with, the obvious fact is that cyber security affects each of us.

Every year, the statistics on attacks are always shocking. For example, a hacker attack occurs every 39 seconds, which may result in the theft of log records, identity information, and proprietary items you have written for the company. Your security team may take several months (or you may never even find it) to discover the identity of the hands behind the scene, what you lost, where it was breached, and when it was breached.

Faced with these difficult problems, what should the operations experts do? In my opinion, it is time for us to become a champion of cyber security and become part of the solution.

Break the barriers: let the departments do not tear

In the decades of working side by side with the IT security team, I noticed a lot of things. A big problem is that the relationship between DevOps and the security team is usually straightforward. The reason for this is that this tension is almost always due to the efforts of the security team to protect the system and prevent vulnerabilities (for example, setting access control or disabling something), and these efforts will interrupt the work of DevOps and hinder its rapid The ability to deploy applications.

For this, I believe everyone should have experienced or seen it. A small amount of resentment eventually burned the bridge of trust between the two parties, either it took a while to repair, or a small battle for land between the two groups, this result will make DevOps implementation more difficult.

Container scanning tool:

Anchore Engine-Anchore is a security scanning tool for containers. It can statically scan the vulnerability of application containers, and supports whitelist/blacklist and evaluation strategy settings.

Clair——Clair is a security scanning tool for containers launched by coreos. It can statically scan the vulnerability of application containers, and supports APPC and DOCKER.

Vuls——Vuls is a vulnerability scanner for Linux/FreeBSD. It is agentless and written in Go. It can notify users of system-related vulnerabilities; notify users of affected servers; automatically perform vulnerability detection; use CRON or Other methods regularly generate reports; manage vulnerabilities, etc.

OpenSCAP-OpenSCAP is led by Redhat. It is an open source framework that integrates all the standards in SCAP. It provides a simple and easy-to-use interface for SCAP users. OpenSCAP implements the analysis of the SCAP data format and the system information probes used to perform inspection operations. It enables SCAP adopters to focus on business implementation rather than dealing with some cumbersome underlying technologies. At present, the latest version of OpenSCAP fully supports all the standards in the SCAP 1.0 specification.

Code scanning tool:

OWASP SonarQube-SonarQube is an open source code analysis platform used to continuously analyze and evaluate the quality of project source code. Through SonarQube, we can detect issues such as duplicate code, potential bugs, code specifications, and security vulnerabilities in the project, and display it through the SonarQube web UI.

Find Security Bugs-Find Security Bugs is a FindBugs plugin for auditing Java Web applications and Android applications.

Google Hacking Diggity Project-Google Hacking Diggity Project is a toolset project that uses search engines (such as Google, Bing) to quickly identify system weaknesses and sensitive data.

Kubernetes security tools:

Project Calico-Calico provides a secure network connection for container and virtual machine workloads. It can create and manage a 3-layer flat network, assigning a fully routable IP address to each workload. Workloads can communicate without IP encapsulation or network address translation to achieve bare metal performance, simplify troubleshooting, and provide better interoperability.

Kube-hunter——Kube-hunter is a tool launched by Aqua. Kube-hunter can be used for free Kubernetes environment penetration test. On the Kube-hunter webpage, the system will list the vulnerabilities and severity of the user environment. And a description of the problem. Using URLs, corporate users can also share scan results with other members of the organization.

NeuVector-Neuvector can provide continuous runtime protection for hosts and pods. It can protect containers from security vulnerabilities by scanning Kubernetes clusters, nodes, pods, and container images.

Keep your DevOps attitude
If you are in a position related to DevOps, then learning new technology and how to use this new technology to create new things is part of your job. Security is the same. In terms of DevOps security, I always keep pace with the development of the times.