DevOps Security: Secrets from the Trenches

July 30, 2020 / By / Cybersecurity
Like a castle, DevOps security is meant to secure your development.

Image source: Pexels

Software development is occurring faster and deployment is becoming more complex every day, and security vulnerabilities and threats are mirroring this process. This means that security can no longer be treated as an add-on if you want to ensure that your applications are reliable and that you and your customers’ data is protected. It is because of this fact that spriteCloud have launched its security and penetration testing services.

If you’re not so familiar with the cybersecurity concerns of DevOps of software development, learn about some basic concepts of cybersecurity, like penetration testing and vunerability scanning.

How Is DevOps Security Different?

In traditional workflows, teams are siloed, with each responsible for their tasks alone and security is often the last team that sees or gets a say in a product before it is put into production. Unsurprisingly, this makes for a slow process in which work often has to be revised or even completely redone.  DevOps, in comparison, focuses on speed and requires communication between teams throughout the SDLC. Agile methodologies are typically used with strict, brief timelines for work and use of Continuous Integration/Continuous Deployment (CI/CD). This can work well and the increased emphasis on shared communication and responsibility can be a great way of including security processes early on. Unfortunately, often security teams are still relegated to the end of the process, where their input is less effective, and demands for speedy release can mean that security issues are pushed through without being properly addressed.

Tips to Consider

To avoid security issues slipping by and ensure a secure application, consider implementing the following tips. These apply to any DevOps team and are a good place to begin examining your existing practices. 

Shift Security Left

As mentioned, DevOps already requires increased communication, and overlap of knowledge and roles, which can be leveraged to include security teams into the mix as a DevSecOps team. By including security earlier in the SDLC, you can significantly reduce the number of revisions and patches that an application requires by identifying issues sooner or eliminating them before they arise.  When security members better understand the needs of development and operations, they can more easily incorporate security tools and protocols unobtrusively or track dependencies and vulnerabilities to simplify post-deployment support. 

Automate Security Testing

Most DevOps teams are already using a variety of automation tools to reduce manual labour and increase consistency; the same can be done with security. There are a wide variety of tools available for including security in development and operations processes, some of which can be grouped as SAST, DAST or RASP tools. Free open-source tools like ZAProxy can help automate the process and they are supported by our DevOps tool for monitoring test results.
  • Static Application Security Testing (SAST)—inspect source code and provide feedback on vulnerabilities. These can point directly to problem code lines and can quickly evaluate entire codebases.
  • Dynamic Application Security Testing (DAST)—test applications in operation and provide feedback on compliance and security issues. They evaluate security issues from the outside and consider the interactions between application and environment.
  • Runtime Application Self Protection (RASP)—integrate into applications to analyze traffic and end-user behaviour during runtime. They offer code-level visibility and can alert or respond to security issues automatically. 
Tools available for the automatic tracking and checking of dependencies and known vulnerabilities, particularly in open-source code, can be used as well. The Open Web Application Security Project (OWASP), for example, has created several utilities and guides for this, some of which are often incorporated into third-applications. spriteCloud offers vulnerability scanning and penetration testing from OWASP trained ethical hackers. Integrated Development Environments (IDEs) that check code in real-time or with easily initiated scans can help developers learn secure practices as they work and identify risks for you rather than relying on manual reviews. 

Practice Secure Coding

Coding securely from the start greatly increases application security. It is especially important to follow secure coding practices when using open source software, which is the lifeblood of DevOps. More goes into secure coding than can be covered here but the biggest takeaways are: 
  • Be mindful of language vulnerabilities—every language has certain flaws that can be exploited but if you know them ahead of time, you can work around them. For example, low-level languages are vulnerable to buffer overflow while data processing flaws in higher-level languages can be exploited through code injection.
  • Build in encryption and authentication from existing librariessecure encryption and authentication are some of the most difficult tasks to master but plenty of good tools already exist for these purposes. Unless you are a security expert, you are unlikely to create more secure options in the amount of time your project allows.
  • Reduce dependencies—the more dependencies you have, the more vulnerable your application and the harder it is to secure. Learn from the left-pad chaos and only include libraries for things you cannot easily write yourself; there is no reason to import all of the issues that might come from a library for a single line of code.
  • Sanitize inputs and outputs—this can eliminate tampering with your application from the outside and prevents attackers from gaining exploitable information from error messages or other alerts. Running inputs against a regex to check for invalid characters and parameterizing them can prevent outsiders from gaining access to your data or source code. 

Use Secure Architecture

Developing and deploying with secure architecture in mind can have a significant impact. Although they aren’t perfect, containerized microservices can grant you the freedom to implement functionality as you want while protecting your applications and systems from single points of failure and restricting the lateral movements of would-be attackers. Using segmentation and principles of least privilege, you can build in restrictions that allow users access to only those parts of an application or system which they need.  Careful creation of test environments is equally important as applications undergoing testing can be uniquely vulnerable. You should make sure that your test environments are only accessible to those currently using them and that they do not contain actual customer data since many test environments are not granted the same security measures that live applications receive. 

Conclusion

Security can be a pain to address, making it tempting to avoid or put off entirely but this is not a workable strategy. Modern businesses suffer huge losses when their security is breached and customers are increasingly demanding that their information be protected.  Rather than having to go back and correct issues or release an endless stream of patches, it makes sense to grant a little more attention to security upfront. The tips covered here can get you started and hopefully grant you the peace of mind that your applications are as secure as possible. If you already find yourself with applications that you feel could be more secure or you want to know what vulnerabilities are currently exploitable, contact us to talk about performing a vulnerability scan or penetration testing to secure your site.

Author: spriteCloud

This is the spriteCloud company author. We use this profile when posting general company-related things and as a catch-all for posts that were written by former colleagues.

Read more articles by spriteCloud

We’re spriteCloud, a leader in software and cybersecurity testing.

Aside from interesting articles, we also have a team of software testers that can help your organisation.

Have a look at our testing solutions.

Cybersecurity
Test Automation
Functional Testing
Performance Testing
Contract/Placement

Stay up-to-date on all things quality assurance, test automation, and cybersecurity.

Subscribe to our mailing list!