First of all you must be thinking, what is DevOps? What the hell is DevSecOps? And will we keep adding more acronyms to it?
It could look like something like this in the coming years.
Source: Acloud guru
I think TriceratOps would be at the stage where you've been transforming into so many Ops roles you forget where your focus is supposed to be.
For now, to understand DevSecOps, we must first know what DevOps is.
What is DevOps?
Firstly, DevOps is an acronym, short for development (Dev) and operations (Ops). It is mainly the union of people, processes and technology to continually provide value to the business and their customers.
It can also be its own department of engineers who posses hybrid skills that developers, network administrators and operations have.
Their main focus is to take the former siloed departments like development, IT operations and quality engineering to collaborate and coordinate them into one.
Their outcome should lead to a faster time to market, highly available systems and more reliable products.
By adopting to DevOps practices and implementing their tools, teams gain the ability to better respond to customer needs, enable continuous feature integration and increase confidence in the applications they produce.
Examples of DevOps practices would be:
Continuous development.Continuous testing.Continuous integration (CI). Continuous delivery.Continuous deployment (CD).Continuous monitoring.Infrastructure as code.
However, the problem in the past was that these practices allowed us to develop too fast, not run vulnerability scans and not allow us to be security compliant. This allowed systems, resources and code to have open vulnerabilities.
What is a Vulnerability?
In the dictionary, a vulnerability can be defined as "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally."
In our DevOps world, a vulnerability could be something like our credentials being uploaded go to a public repository, malware being embedded in a software dependency or having a misconfigured resource that allows to access our resources.
Believe it or not, the last consultancy I worked at, someone uploaded their credentials to Github and within 3 seconds it was scrapped by a scanner bot. The following week, the company got a $20,000 bill for AWS as a hacker had spun up resources to do crypto mining. A very expensive mistake indeed!
Did you delete your credentials before pushing to Github?
With these gaps, security was no longer decided to be implemented right at the end of the development cycle. This is where DevOps security comes into play. It is also now known as another buzzword called "DevSecOps". With its implementation security is inserted right from the beginning until the end of production.
Why Do We Really Need DevSecOps?
Everyday hackers are looking for ways in to deploy malware and other exploits on your system.
For example, imagine if they were able to insert malware into a software dependency or application during the build process. The malware would not be found until the application had been distributed to thousands of its customers.
The damage to both the customer software and company's reputation would be huge, especially in a world where bad news goes viral within minutes.
This is why making security a top consideration alongside development and operations is a must for any organization involved in developing applications and software distribution.
When you integrate or involve DevSecOps, every developer, operations and network administrator will have security at the front of their minds when developing and deploying applications.
Benefits of DevOps Security?
The first thing that comes to mind for DevSecOps is enhanced secure automation throughout the software delivery pipeline. This helps eliminate mistakes and reduces downtime and attacks.
The objective is to make security one of the core components of the software development workflow. Otherwise it would more resource expensive to fix any bugs you find later on in the development cycle.
Some of the benefits are as follows:
Automation. Your focus as a DevSecOps engineer is speedy secure delivery. The delivery pipeline wont be slowed down by inserting security to the mix. By embedding automated security and tests early in the development cycle, you can ensure faster and more secure delivery times of your applications.
Threat modeling. Threat modeling can help you to discover vulnerabilities of your resources and fill any gaps in your security controls. An Example is using Forcepoint's Dynamic Data Protection.
This can be added to your pipeline to help you to identify even the riskiest events that occur across your infrastructure. This can also help to build the necessary protection into your DevSecOps workflows.
Efficiency. If you are only adding security to your workflows, you can just use tools that can scan code as you write it. You will find security issues much earlier.
DevSecOps - AWS Security
One the of great things about a cloud provider like AWS is that they provide security tools that can easily be integrated into your development process, software deployment and infrastructure.
In the below diagram, AWS lays out for what security measures they are responsible for and what security measures customers are responsible for too.
AWS doesn't leave us unequipped to secure ourselves. For example, every domain that the customer has control over, they have provided us with the necessary tools to achieve optimum security.
A brief list:
Network Security
Network firewalls - giving us the ability to create VPCs (Virtual Private Cloud) with private networks.Connectivity options which enable private, or dedicated, connections from our office or on-premises environment.DDoS mitigation technologies that can be applied to layer 3 or 4 and layer 7.Automatic encryption of all traffic coming through via AWS global and regional networks.
Configuration Management
Deployment tools to manage the creation and decommissioning of AWS resources.Tools to allow us to track and manage our inventory and configuration management.Preconfigured template and management tools to create a standard in resources that can be used across the business like hardened virtual machines.
The list goes on. If you'd like to dive more into it I would recommend logging on to the AWS console and search security. You would get a whole list of services and documentation to how you could use security in your cloud deployment.
If you would like to check out AWS security best practices, I would recommend reading their white paper: Introduction to AWS Security 2020.
Please note that other cloud providers like Azure or GCP will also offer similar tools to help place security at the heart of your operations. They all have simialr functions but just use a different name like we can see below:
Source: Black hat Events
Final Thoughts
DevOps security has now evolved into DevSecOps which as you can see aims to unite Development, Security and Operations.
Its not enough to now have speedy delivery to market, DevOps engineers need to include security early on to catch any malware or vulnerabilities that may show after distribution.
All it takes is a password to be exposed on Github and the hacker will have the keys to your environment. The best way to implement security is by thinking about how secure your application, processes and environment is.