14 December 2018
How to Address the DevOps Information Security Challenge
In Connect-World, Yuri Gubin, Vice President of Cloud Solutions at DataArt, discusses the concept of DevSecOps, which integrates security practices into the DevOps process. He identifies six security challenges that surface during the implementation process of DevOps and proposes ways to address them.
“Problems that arise from rapid growth and disconnected workflows within security functions can be addressed by implementing a DevSecOps model. This model embraces the principle that everyone in the development lifecycle is responsible for security. DevSecOps complements the fundamental concept of DevOps by applying automation to core controls and processes early in the workflow that reduces the chance of the types of misadministration and mistakes which often lead to security issues down the line.
Leaving security out of the picture is not sustainable and contrary to the view of some, security monitoring is not a barrier to innovation and rapid growth. It should be a goal of DevOps to automate security processes rather than being in conflict with it. Instead of automated tests to cover functionality, IT teams must adopt automated tools for auditing and automated security testing before production so that security is pushed into earlier stages of a release pipeline and back to planning.
The 'Wow effect' features of certain tools should never be the sole, or even the primary, factor considered when selecting technology. Comprehensive prototyping and proper evaluation of technology must be actioned before onboarding and implementation of automation. Each prototype should address certain requirements or concerns. In addition, the security capabilities should be validated along with scalability, performance and functionality.
Strongly enforce the rule and culture that security must not be violated, no matter what happens. It is of paramount concern not to expose applications and databases to public access by lifting firewall rules and hardcoding credentials, merely to make things work in “just this one instance”. Make sure the seriousness of the inevitable ramifications down the line that would result are drilled into everyone.
DevOps should be designed to include blueprints of network topologies, firewalls and cloud environment, artefacts and configuration management. The design should account for security objectives and disaster recovery strategy.”