A week ago, I received an email from a web hosting company informing me that my account had been compromised in a data breach. I wasn't too alarmed since the website was no longer active — until I saw that the password associated with that account had been exposed.
My email was also exposed, so this could give a hacker enough pieces to access social media, banking, and other accounts. Fortunately, I was using unique, strong passwords for all my accounts, so while one password was exposed, it gave hackers no backdoors into the rest of my online presence. The feeling of relief when I cross-checked the compromised password and confirmed it didn't match any others was palpable.
This is a real-life scenario where different security strategies support each other. First, the internet hosting company detected the breach. Second, it identified affected users and alerted them to the issue — otherwise, these individuals would not know there's anything wrong and would not have the opportunity to proactively update passwords for other accounts. Finally, I had practiced good password security, so the breach did not cause additional problems.
Of course, this all occurred because of the failure of one security strategy, but imagine how much worse this situation would be if the company did not have any mitigation strategies in place.
Good security strategies are crucial for every part of an organization. For companies that have adopted a DevOps model, security is even more critical to protecting both the organization and the customers who use their products.
We'll dive into DevOps security, its benefits, and best practices in this post.
What is DevOps security?
DevOps security is an approach to DevOps that focuses on cybersecurity at every stage of the lifecycle. Through a combination of practices, culture, and tools, DevOps security strategies harden the DevOps environment. This includes the software delivery pipeline the team works in, the product's source code, and the operational environment where the product is deployed.
Now that we know what DevOps security is, let's examine a frequent misconception about the relationship between DevOps and cybersecurity.
A Common Myth for DevOps and Security
One of the main benefits of the DevOps model is its emphasis on speed: speed of delivery, speed of handoffs, speed of updates. Given that focus, some teams might view security as a roadblock to this momentum. This is naturally a concern for security teams that worry cybersecurity will be pushed to the wayside in favor of rapid iterations.
However, a wider view provides us with a counterpoint. Though it may seem like slowing down the process to consider cybersecurity concerns earlier in the pipeline, it will pay dividends later when the testing and deployment phases are cleared quickly. Another fundamental value of DevOps is the "shift left" testing approach, and this applies to security as well.
Testing code against security standards during the development phases means the application will be more secure from the foundation up. This approach also allows the team to discover vulnerabilities and bugs sooner. The delays needed to fix an application in production will cost more time than earlier fixes given the complexity of correcting errors in a fully integrated system versus individual software modules.
How DevOps Improves Security
Integrating security into DevOps leads to a faster overall delivery time by accounting for this primary concern from the start instead of only during the testing phase. This is one of several ways that DevOps and security complement each other. We'll cover the others below.
Faster Time to Vulnerability Resolution
If a vulnerability is identified once the application is in production, the DevOps model enables the team to quickly address it. The longer a vulnerability exists, the more likely a bad actor will discover it and exploit it.
The payoff of having an agile development strategy is the ability to remove exploits rapidly.
Increased Communication Between Development, Operations, and Security
A core value of DevOps is communication and collaboration. This culture applies from the engineers' daily work up to the relationships between the development, operations, and security teams. By working together instead of in siloes, each team's concerns can be weighed from the planning phase onward in the DevOps pipeline.
The result is better information sharing between the security experts and the DevOps team. For example, the security team can recommend against using certain technologies that have known vulnerabilities.
Continuous Improvement
Another core value of DevOps is the Continuous Integration/Continuous Deployment (CI/CD) approach. This strategy emphasizes iterative releases and a constant focus on improvement instead of declaring a product "finished" after a certain benchmark.
The team is always seeking new features and technologies to improve the software's performance, resilience, and security. This focus means that DevOps teams are much more likely to adopt new approaches that address the latest threats. In short, the strategy has shifted from reactive to proactive.
Fewer Surprises After Deployment
The DevOps model's focus on testing as early as possible naturally complements security. After all, stronger code is easier to secure and more resilient to external interference. Additionally, adding security to your tests will ensure that the application's defenses are stronger moving into production. All of these activities lead to fewer surprises after deployment, which cost your team more time and money, as we've covered previously.
By focusing on the DevOps security best practices outlined below, your team can enjoy these benefits on top of delivering a more secure product to the customer and safeguarding your own environment.
DevOps Security Best Practices
- Set governance policies.
- Segment your network.
- Automate your DevOps security processes.
- Perform continuous discovery.
- Conduct vulnerability management.
- Adopt configuration management.
- Use password management.
- Implement version control.
- Conduct regular security audits.
- Adopt a DevSecOps approach.
1. Set governance policies.
Having clear and transparent governance policies is the first step to achieving better security in your DevOps model. Employees are a critical component in security from compliance to enforcement, and providing clear guidelines empowers them to make better decisions and raise flags when they identify issues.
These policies should be a reflection of your organization's larger best practices so that the software your team creates meets your company's internal security requirements.
2. Segment your network.
Don't give an attacker lateral access to your DevOps team's technology stack if they infiltrate your network. Deployed software should be on a separate network to avoid providing a backdoor to bad actors that infiltrate your application. By segmenting your network into logical units, you limit the damage an attacker can do and make it easier to isolate an intruder. If you need to share resources between segments, implement a zero-trust approach so that any requests need to be authenticated before granting access.
3. Automate your security processes.
Automation is crucial to achieving the scale and speed promised by a DevOps model. Your approach to DevOps should follow the same logic.
DevOps tools can automate code analysis during the build and testing phases. Infrastructure tools can automate configuration management using Infrastructure as Code practices. Security tools also power the monitoring phase by flagging potential threats and instantly responding to prevent further damage. Automated processes allow your security practices to move at the speed of the DevOps lifecycle.
4. Perform continuous discovery.
Just as the DevOps model emphasizes continuous improvement, continuous discovery is critical for DevOps security. Cataloging all devices, tools, and accounts on the network is the first step to ensuring access is only provided to authorized assets. This monitoring process must be constant to account for real-time changes in the system. If you can't see it, you can't validate it.
5. Conduct vulnerability management.
Vulnerabilities are a major focus for DevOps security. The worst possible outcome is that the software is deployed to the customer with an existing vulnerability that a bad actor is then able to exploit. DevOps teams can remediate this by conducting vulnerability assessments to identify potential exploits. They are then able to evaluate these results with penetration testing to determine which are false positives and which are real openings in the application to address.
6. Adopt configuration management.
Just as vulnerabilities in the software's code are a potential attack surface, so too are configuration errors in the software's infrastructure. Continuous scans can identify and remediate misconfigurations in the application environment. These should be conducted across physical, virtual, and cloud servers to eliminate blind spots.
7. Use password management.
Passwords are crucial and often a weak point of security. Requiring strong passwords and frequent changes will harden this dimension of your security. To ease employees' frustration from having to remember multiple complicated phrases, password managers allow your team to house information in one central location where it's encrypted to prevent theft.
8. Implement version control.
Version control allows you to set permissions for review and approval of new code before it's committed. This is a natural point for developers to review additions and ensure they meet security standards and policies. This strategy also prevents the intentional introduction of vulnerabilities because changes to the source code are restricted.
GitHub is a popular code repository that allows teams to restrict access to the main branch.
9. Conduct regular security audits.
Security audits are a comprehensive review of an organization's current security practices versus its policies. Just as your company should conduct these evaluations on an annual or semi-annual basis, you should conduct these within your DevOps team to identify areas of success and space for improvement. This will provide a big picture view of your team's security stance and provide you with data to set benchmarks and measure progress toward goals.
10. Adopt a DevSecOps approach.
If the best practices we've covered so far seem like a lot for your team to tackle in addition to their daily work, you aren't alone. DevSecOps has emerged as an evolution of DevOps security that directly integrates the security team into the DevOps process. You are now able to leverage the security experts to inform your decisions and strategies.
This does not replace the need for your team to embrace security best practices. Instead, DevSecOps adds another safeguard to your DevOps model on top of the efforts of your development and operations teams.
Take your DevOps security approach to the next level.
As the Chinese proverb says, "The best time to plant a tree was 20 years ago. The second best time is now."
Returning to our opening example, I am thankful that I knew enough of security best practices to have implemented a unique password back in the day. But if I hadn't, the best thing I could do is start now by changing the passwords of any other accounts that shared that email and password combination.
Whether you choose to adopt a full DevSecOps approach or try to incorporate more security into your existing DevOps model, the most important next step you can take is to make security a priority for your team in every stage of the pipeline. Like the DevOps model as a whole, focusing on continuous improvements to existing practices will lead to quick wins and a stronger stance over time.