If you are a company that has joined the DevOps movement to integrate code and infrastructure deployment, it's likely you (or someone in your organization) have had some concerns about information security. In an effort to release products faster or reduce time to market, information security gaps can become a problem for any company. Security monitoring tools haven’t been able to keep up with the fast-paced changes being made by DevOps when releasing new features or products.
The key to success is to integrate security requirements into the DevOps pipeline. In order for this to work effectively security professionals need automated tools and scripts to be able to keep up with the DevOps team. Instead of validating the end solution or product, the pipeline should be validated to make the process more scalable. If the pipeline is being built in a way that meets security goals, you can be confident that this process will be repeated every time a developer needs to get code into production.
Thus, we have DevSecOps, which embraces the idea that security is not an after-thought, it’s integrated into all stages of a project and beyond. DevOps seeks to bridge the gap between development and operations, however this vision is incomplete without the incorporation of information security. A communication breakdown between these departments are the root cause of the vast majority of critical system downtime, including downtime caused by breaches in security.
To help with implementing DevSecOps into your organization, below are 10 Practical Security Tips for DevOps provided by our valued partner, Alert Logic. Make sure to read all three sections of the Alert Logic “Security Tips for DevOps” blog post – including part two (a continuation of part one) and part three, which explores the Security Gap.
For your convenience, here is a brief summary of Alert Logic's 10 Security Tips for DevOps:
1. Architecture & Design
Security professionals need to get involved with development teams at this point in order to understand the scope; different elements of the infrastructure need protection in different ways.
Action: Work with the architecture to understand the cloud components being used, and the security controls required for each. Take this further by using techniques like Threat Modeling.
2. Static code analysis + code reviews
The code review is a great time to educate colleagues on secure coding techniques. Static code analysis will catch any potential vulnerabilities at this point in the process.
Action: Understand what the current code review process is and ensure that there are security elements within that. Likewise investigate what Static Code Analysis tools are available and if they can be used.
3. Audit of Chef cookbooks/CloudFormation scripts
“Infrastructure as code” or infrastructure being built in a highly automated way using scripts and configuration files enables easy validation of the infrastructure every time a change needs to be made by developers.
Action: Use the automation tools to ensure that the infrastructure is being built to meet the security standards.
4. Security testing post build
Security teams should add automated testing tools for quick validation of the build so developers can immediately get to work fixing any problems that arise.
Action: Investigate automated security testing tools and integrate into the build process.
5. Secure and harden the operating system
Let’s add on “Secure infrastructure as code”. If you are building servers via scripting, it’s a good idea to add in scripts to lock down the OS at the same time. If OS hardening is applied at the beginning of a project, issues can quickly be identified and security teams can work with developers to find an alternate solution if needed.
Action: Review the automation scripts to ensure that the OS is being deployed in a secure way and any changes to this standard are controlled. Use resources like SANS Linux Security Checklist or CIS Benchmark.
6. Harden your cloud deployment (standards AMIs, security groups, IAM roles, MFA tokens)
Cloud services can be incredibly secure infrastructures if done correctly. Review how your company is using the cloud, including segregation of roles.
Action: Review how teams are accessing the console and what permissions that they have. People should only have the permission they need to do their job, and if they have significant permissions they should be using two factor authentication.
7. Deployment of security tools
Ensure security tools are deployed for each application as it goes into production. You should be deploying network detection for threats, monitoring of HTTP for attacks as well as monitoring of log files.
Action: Script the deployment of your security tools so that all environments have a baseline coverage.
8. Vulnerability scanning of OS & applications
One of the most common attack vectors is to exploit vulnerabilities in the OS or applications that are running on servers. Part of your DevOps pipeline should be to check servers for vulnerabilities; this ensures that you know the state of your servers at any given point.
Action: Run regular vulnerability scans against the environments and remediate any vulnerabilities.
9. Phoenix Upgrades
Phoenix Upgrades (deploying upgrades to a new server, rather than applying to an existing server) increase your agility as well as increase your ability to rapidly respond to security issues.
Action: Work with the DevOps team to support them using Phoenix Upgrades and ensure this gives you the ability to patch security issues and roll them out.
10. Ongoing & real-time audit of production environment
Post-deployment visibility often comes down to the level of auditing that has been put in place. The goal would be to have your auditing at a level that allows you to feed info into a security tool to give needed data without swamping your servers with too much auditing.
Action: Work with the development team to set logging levels and use a tool like Chef to ensure that your configuration does not drift.