The need for security in DevOps

The need for security in DevOps

The prospect of more automation and fewer manual security checks is an understandable concern when you are contemplating moving towards DevOps practices.

An article in Wired magazine offers this view: ‘Ultimately, DevOps will turn the IT business model on its head with shorter cycle times, automation, and deep cross-functional integration to deliver the next great idea.’

Defending Security Breaches

The majority of security breaches have occurred as a result of the vulnerabilities of static environments. These environments make it easy for attackers to hide in and observe the network and exfiltrate data.

Continuous delivery

With continuous delivery, you are automatically refreshing all your instances which removes persistent hiding places. The only way for an attacker to infiltrate your infrastructure is by getting into your deployment solution and changing the way you deploy.

Version control

Version control is a regular deployment countermeasure. It tracks who has made changes to your infrastructure and code, how and when they did it. You can then revert back to a state before the changes were made.

Multiple deployments

Multiple deployments (per day or per week) also makes it difficult for attackers to identify unusual sequences and will not be able to identify when you are implementing more aggressive countermeasures.

Benefits of DevOps for Security

By bringing processes such as configuration management and automated testing into focus earlier in the deployment pipeline, fast and predictable releases are possible. Security can be introduced earlier in the process as well.

DevOps can improve security in the following ways:

• Component packages can be automatically scanned from a trusted registry.
• By using automation and operational tools, security can be addressed when development begins with code analysis, rather than as an afterthought. After fixing the code, the code that enters production is certain to have already undergone security scans and remediation. Failures can break the build.
• If a vulnerability is discovered, an automated pipeline can immediately remediate by deploying a new component package.
• Using the public cloud creates a dynamic infrastructure. Unlike a static data centre architecture, in the cloud, there is no place for persistent threats to hide.
• Another option is to automate simulated attacks and stress on the system before a product or app goes to production to validate the code’s responses. If these attacks are added into the build pipeline (such as calling a script and exiting if failed), these tasks can automatically fail the build. This ensures that the release won’t get deployed to the next environment.
• Once in the production environment, automating tests for security and continuously monitoring will ensure that the application is secure.

It’s important to note, however, that security specialists are still required for monitoring and for adding security in development to DevOps.

There are never any guarantees, but by automating more processes and establishing predictable pipelines and processes, good security practices can be even more consistent.