Breaking down silos and establishing Secure DevOps Secure development of Web apps
01.03.2022A guest post by Sean Leach *
In view of ever new cyber threat situations, security should be integrated into the development and over the life cycle of a web app from the very beginning. DevOps and security teams benefit equally from this.
The better security and DevOps are interlinked, the faster features can be deployed.
(© Alex – stock.adobe.com)
It is now a truism that collaborative teams of developers and operations (DevOps) work more efficiently. A well-lived DevOps model leads to more robust processes and accelerates the deployment cadences of web applications.
However, this holistic approach is still incomplete. The Log4J headlines unfortunately show once again that web applications and interfaces (APIs) are vulnerable to security vulnerabilities. Therefore, a well-coordinated Secure DevOps concept (DevSecOps) should be the answer: with a focus on four crucial transformation areas.
Feedback loops from development onwards over the entire runtime
No company wants to hit the headlines with security breaches and frustrated customers. Often the reputational damage is even much greater than the material damage. On the other hand, the consistent integration of feedback loops can help – preferably right where most attacks happen: the web application.
Especially if companies have introduced agile processes and fast releases, the security teams must be involved in the development process from the very beginning. The information obtained in this way about the constant changes in the runtime environment and the direct cooperation with development and operations enable the security team to react to events before they become a threat.
However, innovative DevSecOps teams do not stop at dry exercises. You use the latest generation of Web Application firewalls (Next-Gen WAF) in the production environment to monitor applications and APIs contextually. This allows developers to receive information about attacks in real time.
These modern firewalls also protect against a wider range of attacks, such as account takeovers, credential stuffing, malicious bots, API abuse, application DDoS, as well as classic OWASP Top 10 attacks. More effective solutions are especially important where an agile DevOps culture has led to decentralized applications that are managed in multi-cloud environments, containers, data centers or serverless.
Common culture and democratization of information
The integration of security brings with it similar challenges as the merger of development and operations back then. There are apparent trade-offs between speed and function on the one hand and security and compliance on the other.
However, there are two helpful approaches that security experts can use in an agile manner in this environment. On the one hand, “lean security” and on the other, the democratization of security data.
Lean security means that security experts intervene less frequently and in a more targeted manner than was previously the case. This allows DevSecOps teams to solve problems together instead of blocking each other or shifting responsibility to each other. It helps if self-service workflows are established and the work of the security experts adapts to the processes of the developers.
Lean Security also means that security experts always validate their findings before reporting them to DevOps. This early analysis of both false-positive and false-negative messages allows a quick solution and thus saves a lot of resources.
The second helpful approach for the integration of security experts is the democratization of all information in the entire DevOps team. ChatOps have proven themselves for this purpose, with which findings of monitoring, logging and operational tasks can be communicated to the entire team without delay and proactively. In this way, the previously isolated knowledge of where attacks take place can be shared throughout the company.
Accelerate deployment cadence
Experts and users agree: the better security and DevOps are interlinked, the faster features can be provided. Even with a fast sequence of releases, security does not necessarily have to suffer. This is achieved, for example, through the use of Continuous Integration (CI) and Continuous Delivery (CD).
Both enable continuous automation and monitoring throughout the entire life cycle of an application – from integration and testing to the deployment and implementation phase. But what do CI and CD do in detail?
A CI system automatically runs tests and sends the results to the deployment pipeline so that any corrections can be made there. This reduces the total number of necessary changes and makes each deployment easier. It also allows security teams to make changes to the more sensitive parts of the code base in isolation.
A CD system, in turn, ensures that a developer’s code changes are automatically tested for bugs. After that, they are loaded into a test environment, where Operations can activate them. This creates transparency and misunderstandings between Dev and Ops are avoided. In sum, CD ensures that new code can be implemented with minimal effort. The security team can take advantage of this playing field by adding static and dynamic security tools (SAST and DAST) to the pipeline.
One of the core ideas of CD is that code changes are created only once and are immutable as much as possible. Since CD tracks changes from test completion to deployment, transparency and trust increases. This gives security employees the certainty that they can also track changes later.
Provision of infrastructure as code
Infrastructure as a code (IaC) was already an important driving force for more integration in the early days of the DevOps movement. Today, operations teams no longer store configurations and scripts in shared drives and wikis, but have moved to version control and full automation of their systems.
The more DevOps people lived, the more they learned about IaC – the complete implementation of the system as code, i.e. from networking and forwarding to system configuration to all acceptance and smoke tests. In short, everything that is required to create, run, test, modify, monitor, secure and destroy the infrastructure and the entire system is expressed as code.
This paradigm shift has consequences for security. If the artifacts (= the result of a build) that describe the system and its components are included in the version control, the separation between configurations and wikis as well as documents is guaranteed, as well as the versionability and referenceability of the configurations. Configuration and runtime health tracking replace a configuration management database (CMDB) and provide more transparency, which in turn enables better monitoring for security colleagues.
A DevSecOps culture offers only advantages
In the end, everyone benefits from a deep integration of security in DevOps. Feedback loops allow security teams to make earlier interventions when the runtime environment is changing rapidly. Lean security and the democratization of information over the entire lifecycle of an application strengthen a culture of collaboration and shared responsibility in DevSecOps teams.
The deployment cadences are thus shorter and there are no disadvantages for security. And finally, IaC provides more transparency and thus increases application security right up to deployment.
* Sean Leach is Chief Product Architect at Fastly, where he focuses on developing and scaling products around large, mission-critical infrastructures. Previously, he was VP Technology at Verisign. He holds a bachelor’s degree in computer science from the University of Delaware. His current research focuses on DNS, DDOS, web/network performance, internet infrastructure and combating the massive Internet security epidemic.