DevSecOps is the way to move forward…

In software development security vulnerabilities have been a challenge always and many a times we fail to completely secure the production environment leaving it open to attack.

When it comes to DevOps and Cloud Native world, the onus of security falls on everyone in software development life cycle. So, there is a shift in software development culture where security is considered at every stage of CI and CD pipeline. So, basically DevSecOps extends DevOps philosophy to incorporate security objectives. Extending DevOps processes and practices to address security is more of a evolutionary step and not a revolutionary step.

DevSecOps introduces security activities in the early software development life cycle where security issues can be identified and resolved during application development processes with development team performing security tasks independently. This approach always helps to prevent security vulnerabilities in production environment, which drastically reduces the cost of fixing flaws after releases. Automated security measures can be built into every stage of CI/CD pipeline not to bypass a single weak spots to analyze the security at every stage.

Key elements for implementing DevSecOps

Below are some of the key elements:

1. Application Security Analysis
2. Infrastructure Security
3. Container/Pod Security
4. Identity & Access Management
5. Network Segmentation and Control
6. Data Encryption & Protection
7. Auditing, Monitoring and Alerting

Application Security Analysis

To identify security vulnerability issues early in SDLC and eliminating them before it becomes too bigger and complex to fix, below are some of the methods, tools and technologies to be used:

• Static Application Security Testing (SAST) – helpful to analyze source code to identify code quality issues, any known vulnerabilities and also any non-secure coding standards being followed in SDLC.
• Software Composition Analysis (SCA) – helpful to analyze any third party or open source packages and their dependencies have any known security vulnerabilities and potential open source license conflicts.
• Dynamic Application Security Testing (DAST) – helpful to analyze applications at run time for any security vulnerabilities and potential attacks.
• Interactive Application Security Testing (IAST) – helpful to analyze application structure to detect vulnerability conditions and attack vectors in compiled applications. It’s an intermediate between SAST & DAST.
• Threat Modelling – helpful to predict, detect and analyze security threats by identifying the attack surface.

Infrastructure Security

DevSecOps relies on detecting configuration issues that leads to security vulnerabilities across the IT environment. Modern automation methods like configuration management (CM) and Infrastructure as code (IAC) help in automating deployment of resources in tested secure configuration that will not create security vulnerabilities in the form templates that define how environment should be deployed and automatically provision resources based on the template.

Container/Pod Level Security

Containers or pods are the key resources in modern DevOps processes. So, it’s extremely important to consider security aspects at container or pod level. Below are the key measures to be considered when it comes to container/pod security:

Image Scanning – Docker or any other container images can contain many outdated software components that contain security vulnerabilities. So, it’s imperative to do image scanning and recovery at every stage of CI/CD pipeline. Many industry standard image scanning tools viz., Clair, Trivy, Prisma Cloud can be used for this purpose.

Minimize the foot print of base images – to reduce the attack, minimize the number of files and components in a container or pod. The base image should contain only the minimal libraries and config files for the container to function.

Identity & Access Management (IAM)

IAM must govern access to all aspects of DevOps environment at every stage of SDLC. This will prevent unauthorized access to sensitive data and blocks further suspicious activities. IAM must include:

• Authentication Controls : to identify a user or application
• Authorization Controls: to grant user access to specific resources only
• Role Based Access Control (RBAC): to provide a group of users access to a resource or function based on their responsibilities or collective permissions.
• Hardware Security Modules (HSM): to protect and manage secrets such as credentials, certificates and keys both in rest and transit.
• Identity Providers(IdP): to manage user authorization
• Secret Vaults- to ensure only authorized users can access
• Container image signing: to validate the authenticity of container images and establish trust

Network Segmentation & Control

It’s quite important to isolate tenants and secure the flow of communication between elements of containerized applications and micro services. This helps in ensuring that an attack on any of these isolated environment will not affect other environment. Ingress and egress traffic control at cluster level to be managed at a load balancer level. Creation of different network zoning such as exposed zone, non-exposed zone, secured zone, etc., will help to keep sensitive data in secured zone, application cluster at non-exposed zone and user accessibility to public network at exposed zone.

Data Encryption & Protection

Using the correct data encryption mechanism to keep data in rest or transit protected all the time. Detecting and classifying sensitive data to improve regulatory compliance should be a default practice. Data masking techniques like data anonymization and pseudonymization help provide realistic data for development and testing environments, without risking production data. 

Auditing, Monitoring & Alerting

These methods provide insight into security incidents in production environments. These help to respond to the incidents much faster by providing detailed forensic logs.

Some of the tools like Prometheus, Grafana and EFK stack enable to monitor the events in clustered or distributed environment with centralized logging to store data persistently.

Cognis plays a vital role in educating and establishing a culture of communication

When it comes to DevSecOps, Cognis plays a key role to enable our customers to understand the security threats, compliance requirements and policies in the entire journey of SDLC. We educate developers and operations team how rightfully execute their tasks in secured DevOps manner.

Developers, operations teams, and security experts should work together to define the tools and processes that work best for them, given their skill sets and the technology ecosystems. Allowing teams to build the environment and to define the process helps to improve motivation, making them invested stakeholders is the Cognis key USP. Please reach out info@cognissolutions.com to know more about how to implement DevSecOps in your ecosystem.