DevSecOps and SDLC: Where Are We, and Where Should We Be?

DevSecOps helps nullify risks before they can enter later into the build flow.

istock 599983402
iStock

Many organizations that have begun the effort to implement DevSecOps often quickly realize that they’re still in early stages of fully integrating security and compliance into the software development life cycle (SDLC).

Today, users typically download packages and use simple checksum digests and commonly depend on security scanners on the final products (e.g., container, binary) before they're deployed into production. It's a less-than-optimal feedback loop for the developer, as any insight into a security threat would already have been introduced into the build pipeline after their code commits. Few registries provide a trustable hashing service coupled with a cryptographic signing system alongside the package repository service itself.

“Weak protocols, social engineering, and unprotected endpoints can bring unprecedented impacts—from costly repairs and extensive downtime to negative reputation, and in some cases, shutting down a business for good,” writes Nick Hopman of Red Hat.

Nullifying security risks

DevSecOps is a means to inject security into every step of development so that developers get early feedback, and security risks are nullified before entering later into the build flow.

Fulfilling the potential of DevSecOps is not necessarily easy, according to a McKinsey report: “It relies on tight collaboration both within IT and across IT, security, compliance, and risk. To get it right, companies need to make four shifts in the way they manage technology: create a more integrated operating model, build secure ‘consumable’ services, automate development and release processes, and evolve product architectures.”

DevSecOps is a complex undertaking, especially as DevOps tools—and the DevOps process in general—continually grow and change. Teams must also master technologies that allow organizations to do DevSecOps at scale, such as using containers, Kubernetes, and public cloud services to develop modern cloud-native applications.

Getting from here to there

DevSecOps means thinking about application and infrastructure security from the start. Selecting the right tools to continuously integrate security, like agreeing on an integrated development environment (IDE) with security features, can help meet these goals. It also means automating some security gates to keep the DevOps workflow from slowing down. Some steps enterprises can take now include: 

  • Standardize and automate the environment. Each service should have the least privilege possible to minimize unauthorized connections and access.
  • Introduce secure APIs that increase authorization and routing visibility. By reducing exposed APIs, organizations can reduce surfaces of attacks.
  • Automate security testing in the CI process. This includes running static analysis tools as part of builds, as well as scanning any pre-built container images for known security vulnerabilities as they are pulled into the build pipeline.
  • Add automated tests for security capabilities into the acceptance test process, including input validation tests, authentication, and authorization features.
  • Automate security updates, such as patches for known vulnerabilities. Doing so via the DevOps pipeline should eliminate the need for admins to log into production systems, while creating a documented and traceable change log. For containers, since they are immutable, you should not patch running containers - rebuild and redeploy them instead.
  • Automate system and service configuration management capabilities that allow for compliance with security policies and the elimination of manual human errors.

DevSecOps can enable an organization to secure their applications early in the lifecycle with greater speed, at a larger scale, and more comprehensively versus doing security after the application is already deployed.

The entire software build pipeline requires a complete chain of cryptographic-based attestation and non-repudiation of all artifacts committed and generated by the various actors within the supply chain. Harnessing machine learning and AI will assist developers in gaining early insight into attacks introduced to software from compromised upstream packages, security coding flaws and other risks commonly associated with software build processes and development.

Click here for more information on Red Hat’s approach to DevSecOps.

Copyright © 2021 IDG Communications, Inc.