The origin of DevSecOps
DevOps in the traditional sense is only a collaboration between development, testing, and operation and maintenance, and security is excluded. With the rapid development of cloud computing and big data, frequent delivery has become a double-edged sword, and continuous delivery of customer needs will inevitably bring more risks. Many security and compliance monitoring tools have not followed With the rapid iterative pace, security has become a key part of the development strategy of major enterprises.
Gartner first proposed the concept of DevSecOps in a 2012 report. In this report, it is advocated that information security professionals need to be more actively integrated into the
practice of DevOps. In the following years, they continued to incorporate various security technologies into the top technology they admire, and constantly emphasized the importance of DevSecOps.
According to a survey conducted by the DevSecOps community in 2018, enterprises with a higher degree of DevOps maturity are more likely to integrate security in the software development lifecycle than 338% of companies that have not implemented DevOps, and investments in
automated application security analysis have increased by 15 compared to 2017. %. The survey also shows that 31% of the surveyed enterprises found vulnerabilities related to open source components or dependencies in the past 12 months, but only less than half of the surveyed enterprises used open source or third-party components. There is a clear and complete list.
It can be seen that although enterprises with high maturity in DevOps have already begun to integrate some security monitoring, only a few companies can successfully implement it. How to start integrating information security into the full life cycle of software development has become the focus of enterprises.
SecDevOps, DevSecOps, DevOpsSec, Rugged DevOps are silly and unclear
Integrating security into DevOps literally has several different interpretation methods, namely SecDevOps, DevSecOps, DevOpsSec, and Rugged DevOps. What is the difference between these interpretation methods?
SecDevOps, information security is considered in advance. Concurrently consider the security requirements before the project starts. Vulnerability screening is completed simultaneously during the coding process. Security is integrated into the continuous integration and continuous deployment pipeline and automation is created in the automated test suite Security test set to ensure information security throughout the product cycle.
DevSecOps, proposed by Gartner, literally, information security is taken into consideration. Security is located between the completion of development and deployment and release. There are not enough security measures added during the development phase, and more reliance on subsequent automated security test guarantees product Safety.
DevOpsSec, literally, refers to putting security in consideration afterwards. After the end of the entire product development cycle, security checks are conducted, and vulnerabilities are repaired in time.
Rugged DevOps is a software development method that gives priority to ensuring the security of code in the software development life cycle, and is more common in software development in
cloud environments.
The author believes that it is not necessary to struggle with the literal meaning of various interpretation methods, to embed security development best practices into each stage of the development process, take security solutions as part of the core development process, and integrate them into continuous delivery in an automated manner In order to make every member of the software development life cycle have sufficient security awareness, this is the concern of secure DevOps. Currently, the most interpreted way of online search is DevSecOps.
Integrate security into DevOps
At present, the ratio of development, operation and security in most enterprises is 100:10:1, and security personnel only account for one percent of developers. Compared with development engineers,
network engineers, operation and maintenance personnel, and QA, security personnel have relatively high requirements, and they need to be cross-disciplinary and have a large breadth of knowledge to be competent. It is obviously impossible to achieve DevSecOps by increasing the ratio of security personnel. The most important thing is to make every R&D and operation and maintenance personnel have security awareness. You can become a security expert and start from the following aspects .
The success of DevOps is inseparable from the cooperation between development, testing and operation and maintenance, and the identification of security vulnerabilities and potential risks is also inseparable from the cooperation of all participants. Companies must first change the underlying culture of DevOps, integrate security into the continuous delivery feedback loop, and ensure that security is as tightly integrated as other software development considerations.
Start security design as early as the source of software development, incorporate security practices into the software framework design, build a threat model at the function or service level, timely discover potential threats that exist in the system and seek solutions, and use its application framework and Features in the security library to prevent vulnerabilities such as injection attacks.
According to a survey conducted by the DevSecOps community in 2018, 48% of enterprises have understood and paid attention to the importance of security in the R&D process, but they do not have much time and energy for security inspection, which shows the importance of the implementation of automated security strategies . Automation is a necessary condition for the
DevOps continuous delivery pipeline. Integrating the security strategy into the continuous integration and continuous delivery pipeline and as part of the standard workflow, the development engineer does not need to spend extra time and energy on security. Security checks, such as automated vulnerability management, automated compliance scanning, etc.
Ensure the transparency of the problem, ensure that each member of the team understands what is happening, and actively share the security knowledge, new security vulnerabilities and the use of security tools with the team to prevent similar problems in advance.
There are currently many open source tools for source code analysis to continuous security monitoring after deployment, covering the entire process of the software development life cycle. For example, use static application security analysis tools to scan source code and binary files and provide timely feedback; use dynamic application security testing tools to test whether there are known vulnerabilities in the application runtime.
With the development of security attack methods,
security technology is also constantly being upgraded, which requires continuous improvement of security and continuous adjustment for changes. The DevOps model is a closed feedback loop from demand to product launch. It continuously monitors and feeds back every defect and vulnerability in the production process, and uses this data for continuous learning and improvement to continuously provide insights into potential security risks.
Carry out safety practice training, improve the safety awareness and safety culture of team members, help them use and operate safety tools more proficiently; and give the team members sufficient autonomy to ensure that the team members can make necessary decisions and continue to improve based on the problems.
The key technology to realize DevSecOps
Before integrating security inspection into continuous delivery, you need to have a clear understanding of the following points: current workflow, which tools are used by the DevOps continuous delivery pipeline, how source code and components are stored, and steps before and after code submission , How the code transitions from submission to testing, how the code is deployed to the production environment, what tests the product has undergone, and which links have been integrated with security monitoring.
Knowing the above, next we need to analyze how to integrate security inspection and security control at each stage, and deliver the product in a safe and reliable manner by mapping the security inspection into the design, submission, construction, testing, and deployment workflows.
Design and coding stage
Security moves forward, enters the design and coding phase earlier, integrates security into the framework design, and performs security verification operations on developers in an almost invisible manner, allowing developers to easily write secure code. In the coding stage, close cooperation between security personnel and developers is required. By using strong application security knowledge and software design skills, security protection is built for the development framework in a safe and easy-to-use manner.
Security checks and controls suitable for addition to the design and coding phase include the following.
One is to build a default and secure development environment. Use parameterized queries to prevent SQL injection, hide or protect the output encoding work required by the application from XSS attacks, implement secure HTTP headers, and provide simple and secure authentication and other functions, these security functions can be integrated into the default Development framework.
The second is to establish lightweight, iterative threat modeling and risk assessment, find software security issues from the perspective of attackers, conduct risk assessment in advance, develop software with built-in security during the software design stage, and identify application design more effectively And flaws in the architecture.
The third is IaC (Infrastructure as Code). By using the source code to define the infrastructure, the infrastructure, tools and management of the infrastructure are used as a software system, and the security policy is directly programmed into the configuration through the same type of continuous delivery. The pipeline performs continuous verification and changes, and can quickly and safely fix vulnerabilities when security problems are discovered.
The fourth is to implement code dependency checking. Such as the use of open source inspection tools for dependency checking, help to discover security vulnerabilities.
Fifth, peer code review. When conducting security management in the software development process, people often focus on external security threats, such as network penetration and hacker attacks, but ignore internal security threats. Peer code review draws on rich programming experience among peers to discover common errors such as defensive coding, reduce the risk of internal threats in the code, and improve the overall quality of the code.
Submission stage
The security checks in the commit phase are integrated into the continuous delivery pipeline, and are generally automatically triggered by code updates. After the code is submitted and built, it automatically executes automated tests and quickly returns the test results. There are five types of security checks that are suitable for inclusion at this stage.
One is code compilation and construction inspection, establishing a strongly enforced quality access control system and organization-level code quality specifications to ensure that there are no errors or warnings and no new additions to these regular steps.
The second is to increase the construction of software component analysis (SCA) to automatically identify possible compliance issues and security risks in third-party components. In addition, you can also identify the version of the component and confirm whether it needs to be updated.
The third is integrated unit testing, ensuring at least 80% code coverage.
The fourth is to sign binary files and use a unified and secure repository to ensure the unity of the files.
Fifth, run static application security tests and incremental scans to find possible security vulnerabilities by scanning source code and binaries. SAST usually takes a long time, and incremental scans are suitable for testing changed code, and scan time is fast More suitable for continuous delivery pipeline.
