Guest post originally published on the SparkFabrik blog
If you are familiar with the DevOps philosophy, you will certainly have heard of DevSecOps. It is an approach to security that is gaining momentum in line with the growing awareness – on the part of large enterprises – of security threats. We recently talked about how to introduce DevSecOps. In this article, we will look at the concept of Cloud DevSecOps and focus on the benefits and useful tools. Let us start with a definition.
What is Cloud DevSecOps?
DevSecOps is the result of the integration of security within the DevOps methodology. Cloud DevSecOps is nothing other than the same concept as DevSecOps, but dropped into the specific context of the Cloud.
This approach tries to bring security practices as close as possible to the delivery phase, instead of isolating them in a separate phase following each software release cycle. The main benefit of the DevSecOps model is that it makes security a requirement known to all stakeholders and not just to industry specialists and a dedicated team. If everyone is, to varying degrees, responsible for security, the reliability and quality of the software produced can only improve.
The benefits of DevSecOps
The main benefits of a DevSecOps model are the speed with which it is possible to iterate on the software produced and the speed with which the resulting application security score can be improved. (Whether Cloud Native applications or not.) These two benefits, however, are not triggered at a specific stage, but rather are the consequence of practices that bring benefits that can be seen throughout the development process, let us look at them below.
FAST AND COST-EFFICIENT SOFTWARE DELIVERY
When software is developed in an environment outside DevSecOps principles, security problems can lead to enormous delays. Anticipating feedback to the coding phase to verify the security posture of the code reduces the overhead of late resolution.
IMPROVED SAFETY AND INCREASED PROACTIVITY
The ‘shift left’ approach increases the proactivity of devops teams. By immediately seeing security-related metrics, development teams are progressively made aware of potential problems before considering the code ‘ready’.
ACCELERATED PATCHING OF SECURITY VULNERABILITIES
Continuous and proactive scanning allows vulnerabilities/CVEs to be identified and fixed at a much faster pace than a planned analysis mechanism.
AUTOMATION COMPATIBLE WITH MODERN DEVELOPMENT
All major tools can be integrated within the Continuous Delivery and Continuous Integration pipelines.
A REPEATABLE AND ADAPTIVE PROCESS
The extensibility of the tools and the determinism guaranteed by the market solutions makes it possible to optimise the level of sensitivity of the tools with respect to the most critical alerts according to the organisation’s standards and policies. This ensures that the same portion of code, analysed at different times, is classified in the same way.
DevSecOps vs SecDevOps: what is the difference?
The value of an application lifecycle management strategy that includes DevSecOps is now beyond doubt. However, within the IT industry, a new point of view is emerging that questions the priority with which ‘security’ concepts settle within the life of a product.
The term SecDevOps takes the shift-left to the extreme, defining an application delivery methodology that before any other consideration (technological, design or method) asks the question of how much a given choice impacts security. The difference, therefore, is not so much in the quality of the software produced, but more in the path by which a decision is arrived at.
To simplify, we can say that in the DevSecOps model the emphasis is on automation, in SecDevOps, on the other hand, the emphasis is on development planning.
Cloud DevSecOps best practice
As with Devops best practices, there are also guidelines for DevSecOps that simplify its adoption and increase its benefits for all stakeholders involved. We have described six of these guidelines in detail in the article DevSecOps: 6 principles for introducing it in the company. The same principles also apply in the more specific context of Cloud DevSecOps and are:
- Code Analysis
- Automated Testing
- Change Management
- Compliance Monitoring
- Threat Investigation
- Staff Training
We advise you to elaborate on this in the above-mentioned article
In addition to these issues, in Cloud contexts, the concept of Cloud Security Automation is also important. This is the possibility of automating certain operations during the management of services activated on Cloud, in order to improve the governance and monitoring of workloads hosted on Cloud.
Another important practice is the ‘tagging’ of resources, i.e. the association of customised metadata (automatically via tools and scripts) to the instances of application or infrastructure workloads that are activated. These ‘tags’ can then be used as indicators or filters for control activities during security audits.
DevSecOps tools
You may already be familiar with some of the most popular DevOps tools, can you say the same for the DevSecOps approach? Again, there are tools that can help an organisation adopt the DevSecOps practices we have just mentioned. For Atlassian, the classification of these tools is based on the various phases of the DevSecOps cycle, in detail:
- Plan: thread modelling tool and analysis of impacts on certain changes
- Build: static (SAST) and dynamic (DAST) code analysis tools
- Test: dynamic code analysis (DAST)
- Deploy: penetration testing and chaos engineering tools
- Operate: Log collection, Web Application Firewall and Runtime Application Self Protection (RASP)
- Monitor: security information and event management (SIEM)
Among the tools for DevSecOps we find BridgeCrew: it offers specific tools for the configuration and IaC part, among which we particularly highlight Checkov. Then there is Trivy, one of the most popular vulnerabilities and misconfiguration scanners, and KICS, an open-source solution for analysing static IaC code. Another DevSecOps tool is SonarQube, in addition to the container, dependency vulnerability and IaC scan part, this tool is also able to do code analysis.
Your next step
In conclusion, DevSecOps continues to be a fast-growing trend within organisations, its adoption can improve the quality of the software produced and the security level of the entire value chain associated with software development. Best practices simplify its adoption and the use of new technologies and specific tools allow for standardisation of technology implementation.
For a company that wants to remain competitive in the market, starting on a path of DevSecOps Strategy – that is, an in-depth study of the competitive advantage this methodology can bring to the organisation – can be a winning move.