DevSecOps best practices for enterprises leveraging Kubernetes
Security can no longer afford to be at the end of the DevOps process. It needs to be integrated into every step of both development and operations to eliminate vulnerabilities before the application is shipped. In essence, DevOps needs to evolve into DevSecOps.
Would you be surprised if we told you that a whopping 92% of DevOps teams don’t catch all security vulnerabilities before moving the code to production? We are sure most of them are glad they found the vulnerability before someone else did. Because, good security teams know the quantum of risk opened up by even a small nagging loophole in their application.
This is especially true when enterprise application teams deploy more times and at faster rates than ever before. Legend has it that Amazon deploys once every second, while Netflix, Google and others deploy thousands of times each day. In fact, CapitalOne, the financial services corporation that you might see as a non-tech company deploys 50 times a day.
One of the key trends in technology that enables such rapid development is containerization. Kubernetes is powering several enterprise applications to the cloud. Combined with robust DevOps, enterprise application development is delivering greater speed and agility. This, however, isn’t entirely uncompromising.
Security has long been considered a speed breaker in the process — you’ll find several conversations around ‘sacrificing’ speed for security in the rapid application development space. As a result, we see that “vulnerabilities in container software have increased by 46% in the first half of 2019 compared to the same period in 2018, and by 240% compared to the two years ago figures.”
At this rate, security can no longer afford to be at the end of the DevOps process. It needs to be integrated into every step of both development and operations to eliminate vulnerabilities before the application is shipped. In essence, DevOps needs to evolve into DevSecOps.
What is DevSecOps?
If DevOps is about breaking the silos between development and operations, DevSecOps is doing the same for DevOps and security. DevSecOps brings security into the software development lifecycle, to eliminate vulnerabilities as soon as possible.
DevSecOps is underlined by four key factors:
- Thinking about security right from the start.
- Integrating security procedures within the DevOps processes.
- Building observability and auditability into your development lifecycle.
- Automating security tasks everywhere possible.
Let’s look at them one by one.
Security from the start
How many infosec engineers do you have in your application team? Now, what’s the ratio of infosec engineers to developers and operators? Chances are, you don’t have enough infosec engineers. And this is very common. By shifting security left, DevSecOps makes security the collective responsibility of your application teams, instead of the lonely infosec professional at the deployment bottle’s neck. Here are a few ways in which you can include security from the start.
- Bring the security teams to the DevOps table. Encourage them to share insights and feedback on known threats freely.
- Train your development teams in secure coding, to eliminate common and repetitive mistakes, even before they appear.
- Address security concerns as they appear, not after you’ve been attacked or your application compromised.
- Repeatedly review all devices and tools to ensure they are compliant with your security policies.
Security with process-driven DevOps
Even the best-intentioned developers might lose track of the security needs of the application, in the hustle of developing working software at great speeds. To make security non-negotiable, you need clear processes, standardization and regular checkpoints. Here are some ways to begin setting it up.
- Conduct a thorough risk-benefit analysis to gauge your risk tolerance and understand your security posture.
- Build unambiguous processes for security functions like access management, secrets management, firewall, vulnerability scanning etc. and put them into practice.
- Implement version control processes for your application code as well as any infra as code or platform as code in your system.
- Consider immutable infrastructure, if you’re using a mutable system.
Security through observability and auditability
We discussed already that to successfully adopt DevSecOps, the security teams must move left. But taking responsibility goes beyond writing security-aware code. Development and operations teams must build a system of monitoring and auditability throughout the application development lifecycle, across multi-cloud deployments. Here are some ways you can achieve that.
- Build a network of ‘security champions’ — who are security-minded members of non-security teams — throughout your enterprise. In essence, get more infosec engineers without actually adding more people to your teams.
- Bring monitoring and observability to the service level. Set up monitoring for containers, clusters, and pods.
- Set up artifact level metadata to identify container image, libraries used, repository information, commit info etc.
- Have real-time visibility over config changes.
- Automate alerts for compliance and security-related issues.
Security by automation
If we have to pick one key benefit of Kubernetes, it has to be scale. K8s has enabled application deployment at never-seen-before scale, even across complex multi-cloud or hybrid environments. But implementing security check-points manually at this scale is practically impossible. Which is why including automation to your DevSecOps process is critical.
- Automate infrastructure provisioning.
- Integrate scanning into your CI/CD pipeline and ensure all container images are secure before the production push.
- Isolate container registries, and control its access.
- Embed automated code-review and security testing with security static and dynamic analysis tools.
- Update security patches automatically.
In 2020, it would be utterly foolhardy to ignore security in your enterprise application development. The stakes are high and the consequences — financial, reputational and compliance — could be significant. It would be just as risky to rest security in the hands of a few experts. What enterprises need is a perfect combination of strategic inclusion of security into DevOps processes, end-to-end monitoring and audits, and thoughtful automation of security tasks. Another efficient approach to go about it would be to find a deployment automation platform that can also offer security management capabilities.