"DevSecOps," as the name implies, is the integration of security into the DevOps process. It's a work in progress: As Dev and Ops environments and methods continue to evolve, the Sec piece needs to keep pace and organizations need to determine a DevSecOps definition.
"In creating DevOps, which brings the development and operations teams together into a single team, somebody forgot to invite the security team," said Jerry Gamblin, principal security engineer, Kenna Security, which provides predictive cyber risk technology. "This typically meant that security wasn't called in either until the end of the cycle or until there was a problem. Either way, security would have little or no insight into what's 'inside' to help them fix vulnerabilities. Meanwhile, DevOps would be saying, 'Don't mess up our ship date.' DevSecOps allows the security team to be proactive rather than just reactive."
Catching the Known Knowns, Not the Unknown Unknowns
The DevSecOps definition, according to experts, isn't so much about catching new security holes as it is about finding--and fixing--known risks and vulnerabilities that other methodologies wouldn't have caught in a timely fashion (as in, before disaster struck).
"The 2017 Equifax security breach that exposed sensitive information from over 145 million consumers wasn't an elaborate zero-day attack," said Hillel Solow, CTO, Protego Labs, which provides serverless security technology. "It was a crime of opportunity because the company was lax on addressing known security bugs--in this case, in the version of Apache Struts that they were running."
Dan Cornell, CTO of Denim Group, an application security company, calls known vulnerabilities "silent killers."
"You can't expect every organization to have the level of inspection to proactively catch subtle and complicated vulnerabilities," said Cornell. "But the 'silent killers' are the more mundane vulnerabilities like cross-site scripting and SQL injection, which have existed and been out in the wild in their own code. These are being taken advantage of by cyber criminals and could be found by automated testing."
New Challenges for DevSecOps Teams
New development methods, tools and IT architectures bring new "opportunities" for security holes and new types of security vulnerabilities, said Kenna Security's Gamblin. "You have new places and things with code, such as IoT devices with only one or two people involved in the code. And there are more people creating unvetted code, like what goes into app stores."
In addition, said Cornell, new IT architectures, such as the cloud and microservices, and new methods, such as continuous delivery and continuous pipelines, enable DevOps to innovate, develop and iterate faster. These are all good things, of course, but they also create a more complex environment, Cornell added.
"As complexity increases--more parts and more players--so does the risk of security lapses," he said. "Additionally, approaches like infrastructure as code, software-defined networking and letting developers have more control over the environment increase the risk of bad things happening because of something that a developer did."
The whole idea of the supply chain is also changing dramatically.
"Today's developers are writing less code and using more libraries and other existing code and resources," said Protego Labs' Solow. "The entire notion of 'what is the supply chain of your application' is changing. Instead of having a hundred developers writing code on Windows, where it wasn't that complicated to map out where the risks were, you have lots of open source software, where a single line of code can pull in lots of code that you didn't write. So the development pipeline must become a security control point, enforcing policy, mapping out and mitigating risks vulnerabilities."
Yet another factor driving security changes for DevOps and DevSecOps is the rise of serverless computing, a model in which the cloud provider is responsible for running everything and for allocating infrastructure resources.
"You don't know the security of the whole system until it's deployed," said Cornell. "Even though all your Dev and Ops may be within the same cloud ecosystem, you may not have exposed it to the internet yet and may not have realized that, when you do, you may expose a lot more things to the public than you intended to."
New Tools to Address New Challenges
One way the DevSecOps definition is evolving is through additions to the tools that DevOps teams use.
"We are starting to see new security tools that fit into today's developer tool chains and workflow," said Cornell. "Many traditional security tools are aimed at quarterly penetration testing. Today's tools integrate with environments like GitHub, where organizations are managing their source code, and can be used in continuous integration/continuous development."
According to Gamblin, "The big players are building code workflow tools that incorporate security testing--for example, GitHub's Actions and Amazon Web Services' Code Pipeline. Microsoft Azure and Google Cloud Platform have announced similar integration of testing into building tools."
Organizations also have to evolve how they do security assessments and threat modeling.
"You're no longer doing regular scans of a fixed infrastructure of two dozen servers," said Cornell. "As you move to cloud providers, with virtual machines and containers and microservices, the infrastructure is increasingly ephemeral. Security has to always be asking: What cloud providers are being used? How are they configured? What features are we using? The same applies to software: You used to have big, monolithic apps that you could scan and run static analyses on. But, today, as apps get broken up, they use more dynamic languages, etc. So your threat modeling has to evolve. As infrastructures break down into small chunks, you need threat models that let you understand how the system will be exposed from a security standpoint."
The Benefits of DevSecOps
While doing more security checks and testing during the DevOps process does add some additional time, there are both immediate and long-term benefits, according to Cornell.
"If you get the Dev and Ops teams to start thinking about security earlier in the process, you not only catch and fix specific problems sooner, you're also training the teams in what not to do again, versus the one-time fixes of 'release code, find problems, fix problems,'" he said. "Experience shows that you'll see a big drop in problems like cross-site scripting and injection vulnerabilities because testing is being done to catch these errors. And, more to the point, the quick feedback loop keeps teams from making them again in the future."
How to Get to DevSecOps
Of course, DevSecOps isn't just about new tools.
"Bring your development, operations and teams together so they understand what it looks like to deploy a program from an idea to a fully functional, security-tested application," said Kenna Security's Gamblin. "One suggestion: Get a whiteboard, and draw what it takes to start from nothing and get it to ready-to-ship. It's also important to understand that DevSecOps is cultural. It's about getting better every day. There are tools that will help incorporate the security aspects, but nobody can sell you a DevSecOps tool that will just do it. In DevSecOps, you break down the barriers between these groups--you integrate security with Dev and Ops, and steep DevOps with security's culture. This lets developers become comfortable dealing with security as they are developing and innovating."
