What Is DevOps Security?

• IAM Glossary
• What Is DevOps Security?

DevOps security, also known as DevSecOps, is a conglomeration of the words development, operations and security. Both DevOps security and DevSecOps refer to a philosophy of integrating security into the software development lifecycle (SDLC) as early as possible, preferably before a single line of code is written.

What's the Difference Between DevOps and DevSecOps?

DevSecOps is an extension or enhancement to the DevOps philosophy. For this reason, it's important to understand what DevOps and DevSecOps have in common before discussing their differences.

Both DevOps and DevSecOps refer to a philosophy or approach to software development, not a particular tool or set of tools. Just as installing an issue-tracking system doesn't mean you're "doing DevOps," installing static or dynamic application security tools doesn't mean you're "doing DevSecOps."

DevOps and DevSecOps both emphasize collaboration, automation and active monitoring of software applications. The ability to capture application data in real-time is key to both philosophies, because "doing" DevOps and DevSecOps requires continuously capturing and analyzing this data to discover ways to enhance productivity and drive improvements.

Both philosophies also depend on collaboration, particularly eliminating organizational silos. DevOps seeks to break down silos between software development and IT operations, the idea being that when developers and IT personnel work together, software is released more quickly and with fewer errors. DevSecOps takes things a step further and seeks to give security operations a seat at the table. The idea behind DevSecOps is that when developers, IT personnel and security personnel work together, software is released more quickly, is of higher quality and is more secure.

"Doing" DevSecOps right means that applications are properly secured against risks before they're delivered to production. This practice is often called "shift left," because it refers to integrating security at the start of the project timeline – before a single line of code is written – instead of addressing it in later phases. In a DevSecOps environment, developers code with security in mind – something that DevOps, on its own, doesn't address.

By introducing practices such as code analysis, threat investigation and vulnerability assessment into the SDLC, with continuous testing and evaluation, DevSecOps ensures that the codebase is secure from inception. In addition to improving application security, DevSecOps enhances productivity. Finding and fixing security problems early on is much less time-consuming and costly than having to refactor code later in the software lifecycle.

DevOps Security Challenges

For all the benefits of DevSecOps, organizations can struggle to implement it properly. Let's examine some of the most common challenges to DevOps security.

• Too heavy a focus on tools, too light a focus on processes. As mentioned earlier in the article, both DevOps and DevSecOps are philosophies, not mandates to use particular software.

• Cultural resistance from developers, or "But we've always done it this way." Developers may not be accustomed to secure coding practices. Traditionally, developers coded for workability, and security flaws were discovered and patched later. Developers may fear that having to "worry" about security will slow production.

• Cultural resistance from security teams. Developers aren't the only ones who may cling to "the way it's always been done." DevOps teams focus on speed, modifying and pushing out code over hours or days – a rapid pace that can leave security teams askance. The difference is that DevOps teams automate as many processes as possible, while security teams often do a lot of their work manually.

• Inadequate secrets management. DevOps environments are highly complex and deeply interconnected. It's not unusual for DevOps shops to have hundreds of security groups and thousands of server instances, all of which utilize secrets such as privileged account credentials, SSH keys, API tokens, database passwords and more, all scattered throughout the organization's data environment in a condition known as "secrets sprawl." A simple misconfiguration can lead to one of these secrets being exposed – and the organization suffering a catastrophic cyber attack.

• Inadequate privileged access management. To speed production, many DevOps teams give their members virtually unlimited access to privileged accounts like root and admin. Even worse, multiple individuals may share the same set of credentials – a big security no-no, as well as a major issue during compliance audits, where organizations are expected to produce a clean audit trail. Additionally, orchestration, configuration management, and other DevOps tools may also have very high access levels, far more than the tool needs to operate.

DevOps Security Best Practices

Following are some best practices for implementing DevOps security in your organization.

• Remember that DevSecOps, like DevOps, is a mindset, not a set of tools. Instead of purchasing "DevSecOps tools" and figuring out where you want to use them, focus on your end goals, develop processes to achieve them, then purchase tools that support those processes and goals.
• Use proper change management methods to overcome cultural resistance from your developers and security personnel. Demonstrate to both teams that DevSecOps will save them time and make them more productive, not less. Establish clear coding standards for your developers, and automate security processes and tools as much as possible.
• Combat secrets sprawl with a tool such as Keeper Secrets Manager.
• Rein in excessive privilege rights and access levels with controls such as role-based access control (RBAC), least privilege access and just-in-time provisioning.
• Prevent privileged access abuse with session recording and auditing.