DevOps security best practices span code creation to compliance
Developers and operations staff who split security responsibilities as part of a DevOps workflow should apply these best practices to ensure no vulnerability goes unnoticed.
DevOps practices have shed new light on the security issues that span application design through deployment. Developers and operations staff must collaborate to deliver each software iteration with the necessary design, testing, tools and infrastructure to protect against malicious activity and maintain compliance.
Whether you're a developer or a dedicated IT security professional, it's critical to understand and apply DevOps security best practices.
Security skills spread across the DevOps pipeline
Software bugs, poor design practices, malicious hacks, and weak or inconsistent hardware configurations have all conspired to plague enterprise applications since the digital age's inception. But security has largely been treated as an afterthought, or as a separate component from software and its operational infrastructure. A security team would detect a problem, analyze the cause and address the issue with a remediation, such as a system configuration change or software patch.
As software development velocity increases with the adoption of continuous approaches, such as Agile and DevOps, traditional security measures struggle to keep pace. DevOps enables quicker software creation and deployment, but flaws and vulnerabilities proliferate much faster. As a result, organizations must systematically change their approaches to integrate security throughout the DevOps pipeline.
To get started, apply DevOps security best practices to these five key areas:
Code creation. Software security often starts with the codebase. Developers grapple with countless oversights and vulnerabilities, including buffer overflows; authorization bypasses, such as not requiring passwords for critical functions; overlooked hardware vulnerabilities, such as Spectre and Meltdown; and ignored network vulnerabilities, such as OS command or SQL injection.
The emergence of APIs for software integration and extensibility opens the door to security vulnerabilities, such as lax authentication and data loss from unencrypted data sniffing. Developers' responsibilities increasingly include security awareness: They must use security best practices to write hardened code from the start and spot potential security weaknesses in others' code.
Code testing. Security is an important part of build testing within the DevOps workflow, so developers should deploy additional tools and services to analyze and evaluate the security posture of each new build. Use certain tool suites, such as Veracode, GauntIT and Mittn, to find and fix security flaws in binaries, or to perform detailed penetration testing to test a build for vulnerabilities. Fix any exposed vulnerabilities in subsequent iterations before deployment.
IT infrastructure. Operations traditionally bears the greatest IT security responsibility. But because DevOps integrates development and operations -- and more developers independently deploy builds to the IT infrastructure -- reconsider infrastructure's role in workload security.
In line with DevOps security best practices, operations teams need to carefully and consistently configure and provision every server, switch or other device within the infrastructure to prevent issues. For example, consider the potential risk of an enterprise server that overlooks a simple security practice and uses a default administrative password. Document and log configuration changes, and subject them to security audits. While these are commonly systems management and change management tasks, they will be critical in a DevOps delivery and deployment workflow.
Everyday operations. Security concerns persist when a build goes live on an enterprise server. That software serves the business and is the possible target of countless external and internal threats. Some organizations maintain a supplemental security team that uses varied threat detection and mitigation tools to supervise workloads and infrastructure. This team monitors workload and network performance metrics, checks for network anomalies or intrusions, and analyzes application and server logs. While IT security staff typically handles these responsibilities, developers receive monitoring results.
Corporate compliance. Software and infrastructure flaws that compromise workload security or availability also jeopardize corporate compliance. If a workload and its environment lack proper security, the business might violate agreements -- even if no malicious act or loss occurs -- and risk fines or litigation. Therefore, DevOps teams must interact with application stakeholders and business leaders to ensure workloads meet regulatory or industry compliance requirements.
Training and education
Knowledge is the best way to prevent IT security problems, so DevOps teams should receive formal and informal security training. Staff can pursue comprehensive certifications, such as CompTIA Security+ or the ISO 27001 certification in information security management systems.
Developers and operations staff should also create and maintain concrete DevOps security best practices and policies for the organization. This is critical in environments where a high degree of automation orchestrates workflows and provisions resources.
Editor's note: Knowledge of DevOps security best practices can help IT operations professionals advance their careers. Get even further ahead of the game with these sample DevSecOps interview questions.
Ways to practice good governance in a DevOps setting
The role of DevOps practices in application design