Tracking Image
Get Your Free Community Edition

Free Community Edition
March 6, 2017

It’s Time to Operationalize DevOps Infrastructure Security

Categories: Blog, From The Front Lines

DevOps has taken an aggressive hold in today’s public and private sector, allowing organizations to adapt, deploy, and recover their applications at astounding rates, and that keeps their bottom lines headed in the right direction. One of AttackIQ’s customers is onboarding more than 200 applications alone this year to streamline government.  That’s an amazing leap forward for that organization and its constituencies.


But at the same time, there is an ongoing debate underway on how to effectively integrate security practices with DevOps. There are many aspects to the problem.  Trying to apply traditional secure development practices to the unique world of DevOps doesn’t completely solve the problem, and likewise, the application of traditional IT security practices can also be ineffective.  The high rate of infrastructure and application change that can be achieved using DevOps is advantageous to many (or even most) business stakeholders, but my colleagues in the security space cringe at the consequences that they now need to worry about.  And to make it more difficult, very rarely is there an owner of the myriad of unique security aspects that should be considered with DevOps, primarily because security may not have traditionally been a focus for those individuals tasked with implementing DevOps practices.


There are likely different goals held by your security and DevOps teams. According to Gartner, 77 percent of information technology professionals believe security slows them down, which typically is advantageous to your security team. But in DevOps, slow just doesn’t work - by design, DevOps encourages rapid and frequent actions and change.


Adding to the difficulties faced by the security team are the inherent continuous automation and process integrations that are a part of DevOps. Current defensive controls that are aimed at applications and infrastructure produced by DevOps practices are likely to lose visibility into the security posture of the technology stack as it constantly changes.  A CISO at a large bank recently said to AttackIQ that he had “zero” visibility into the effect of DevOps on his organization’s security posture.


And finally, just as with any cross functional challenge, communication is a problem, and best practices for the relationship between DevOps and security teams are still being developed.  Everyone is running fast, and hardly anyone is talking. Instead of integrating security into DevOps practices, organizations are running security in parallel – and far behind – the pace of their DevOps teams. Security teams end up chasing down the openings created by the infrastructure and application changes post-deployment. Forced into a reactive mode, security teams are never able to catch up or keep pace with the rate of change.


Operationalize and Integrate Security Practices into DevOps


It’s time to integrate security tools and processes into DevOps practices.  These integrations should run the gamut from secure development lifecycle practices for application development to infrastructure security practices to harden and verify assets, and most importantly, be built around processes that ensure security does not fall behind DevOps.  “Security as Code”, known as DevSecOps, can be built via the same type of cycle that is the foundation of DevOps, allowing security practitioners a mechanism to integrate with DevOps.  To operationalize, your goals should include:


  • Continuous Visibility: It starts with continuous visibility. All applications and infrastructure provide an attack surface and will carry a certain level of risk. It is the job of the security organization to identify, communicate, accept, and mitigate those risks. We cannot expect the DevOps team to monitor and measure security risks separately from the security team, and the security team should implement tools and techniques that provide continuous security visibility for all stakeholders.  This corresponds directly to piece of the DevSecOps manifesto that values 24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident.
  • Integrate Security into DevOps Practices: When you build those tools and processes that provide continuous visibility, you can then integrate security as code into DevOps practices, and add the output of DevSecOps to those DevOps practices. This activity should not focus solely on delivering security capabilities that integrate with applications and infrastructure developed via DevOps. This security code and integration needs to span build, test, and release processes of your DevOps output.  Overall, your integration with DevOps will line up with the aspect of the DevSecOps manifesto that values Open Contribution & Collaboration over Security-Only Requirements.
  • Automation and Continuous Validation: Every security team is short-handed, and relying on manual and reactive security processes as part of DevOps will not work and runs counter to the purpose of DevOps - it would just be too slow. Fortunately, there are automation options when it comes to security controls and validation of those controls, allowing organizations to achieve a true set of DevSecOps practices that can maintain the same rapid pace of DevOps.  This corresponds to the piece of the DevSecOps manifesto that values Consumable Security Services with APIs over Mandated Security Controls & Paperwork.


At AttackIQ, our FireDrill platform is being used to help operationalize and integrate security practices into DevOps. Our customers are leveraging automation and real-world scenarios to identify threats, validate the security posture of their security stack that is affected by their DevOps practices, and optimizing that security posture as they evolve. Please let me know if you’d like to learn more about how we can help you do the same.

Tags: Automation , DevOps , DevSecOps

About the Author

Brent Midwood is AttackIQ's Director of Product Managment. Brent leads the Product Team and utilizes over 15 years of security experience to define and drive the product strategy at AttackIQ, delivering value to our customers by enabling them to enhance their security posture.