Organizations worldwide continue to adopt DevOps to remove silos and foster collaboration, improve product quality, and expedite time to market. But the DevOps emphasis on velocity often means security is a secondary consideration—if considered at all—when implementing tools and practices.
Unfortunately, traditional security and compliance monitoring tools have not kept pace with the DevOps revolution. Instead of making the DevOps environment more secure, they often become a barrier to continuous delivery. To make the production environment more predictable, auditable, and secure, you need to integrate DevOps security requirements into the pipeline from the very beginning. This will require you to automate your processes and tools to match DevOps’ speed and scaling requirements.
Here are 10 DevOps security tips to get started.
1. Architecture and design
DevOps security needs to start during the architecture and design phase. Security teams should understand the scope of the DevOps infrastructure and what elements will need protection in different ways. An understanding of the shared security model is critical; the line between IaaS and PaaS grows increasingly blurred, and each has a different security paradigm.
Threat Modeling can be done during this phase. This will allow security teams to define the threats against each different component to uncover vulnerabilities and determine what elements will be needed to secure them further up the DevOps pipeline.
2. Static code analysis + code reviews
Code reviews are a common part of DevOps. Security team members should understand what the current code review process is and learn secure coding techniques to include in their security reviews. It’s also worth investigating Static Code Analysis tools, as they can check the source code for potential vulnerabilities. If any are detected at this point, developers can quickly change coding techniques to meet security requirements.
3. Audit of chef cookbooks/CloudFormation scripts
“Infrastructure as code” is a popular concept within DevOps. Rather than manually configuring hardware and systems, you use scripts and configuration files to build infrastructure. This method ensures consistent configurations on all servers, automates repeated tasks, and enables faster software deployments, among other benefits.
Security teams can leverage infrastructure as code to run automated checks against these scripts. If a developer creates a script to create a storage bucket with public access to the internet, for example, it can raise an error. Automated checks in combination with threat modeling create a powerful tool to validate the infrastructure every time a developer makes a change.
4. DevOps Security testing post-build
A core DevOps practice is to run automated builds and unit tests after check-in. Security teams can add security testing tools to automate the validation of the build. This will allow any vulnerabilities or other issues to be identified within minutes of a developer checking the code, enabling them to fix them without the delay associated with post-project testing.
5. Secure and harden the operating system
Applying OS hardening at the beginning of a project rather than at the end allows teams to recognize issues earlier and reduces the risk of the application not working. If hardening must be relaxed, security teams can collaborate with the developer to find another way of performing the function. They can use resources like SANS Linux Security Checklist or CIS Benchmark to review the automation scripts to ensure that the OS is being deployed securely and any changes to this standard are controlled.
6. Harden your cloud deployment
Cloud services are double-edged swords. If done correctly, they can deliver incredibly secure infrastructures. If not, they can open up significant security holes. That makes it imperative that you review how your company is using the cloud. Review everything from the development environment through to production and understand how teams are accessing the console and what permissions they have.
As a general rule, people should only have the permissions needed to do their job. Any significant permissions require two-factor authentication.
7. Deployment of security tools
You’ll have to keep up with multiple teams deploying multiple applications to production. Script the deployment of your security tools to ensure they are deployed at the same time so that all environments have baseline coverage. Include network detection for threats on your network, monitoring of HTTP for attacks as well as monitoring log files. With a Managed Detection and Response solution, you can monitor these different feeds at the same time and have a 24/7 SOC investigate the threats and escalate if required.
8. Run regular vulnerability scans of OS and applications
Cyber attackers love to target vulnerabilities in the OS or applications running on servers. You can run scans on servers in the DevOps pipeline to ensure you always know what state they are in and remediate any vulnerabilities you find.
Additionally, with Alert Logic MDR, this information is fed into our analytics engine, allowing potential attacks to be rated with the additional data from whatever software you are using. This will help reduce false positives.
9. Use Phoenix Upgrades to patch security issues
Phoenix Upgrades are a process where you terminate an existing server and build a fresh one, using Apache Phoenix, each time you deploy an update. This increases your ability to quickly patch security issues and your agility to roll them out. A Phoenix Upgrade strategy allows you to deploy a new patched version across your entire cloud environment quickly and safely, while also reducing the risk of technical debt and configuration drift.
10. On-going and real-time audit of the production environment
Once all of these elements are in place, you’ll be able to survey production to understand its state at any given time and make corrections if it has drifted from its defined security profile. You should have standard auditing levels across different server roles and applications, and for each, try to achieve an auditing level that can be fed into a security tool to provide the data that’s needed without swamping your servers. Just as developers can use the Cloud to create big IT systems in very short timeframes, you can leverage its power to audit these systems multiple times a day.
Speed and security are essential for businesses to maintain their competitive edge. By building security into the development pipeline, you can ensure you do not sacrifice one for the other.