Security Experts:

Connect with us

Hi, what are you looking for?



Best Practices in Securing DevOps

The growing demand for faster software delivery, using public cloud environments, microservices, and containers, has triggered a discussion on the role of security in the world of DevOps.

The growing demand for faster software delivery, using public cloud environments, microservices, and containers, has triggered a discussion on the role of security in the world of DevOps.

At this year’s DevOps Connect at RSA Conference 2018, nearly 1,200 security professionals gathered to explore ways for embedding security into the development pipeline. With adoption rates in the enterprise ecosystem reaching a whopping 81%, DevOps has become a tempting target for cyber adversaries. The hijacking of Tesla’s cloud-based DevOps platform is just one example that illustrates why these environments must be incorporated into the overall security strategy to cover an ever-expanding attack surface. 

Microservices and containers enable faster application delivery and improved IT efficiency. However, the adoption of these technologies has outpaced security. A research study by Gartner (DevSecOps: How to Seamlessly Integrate Security into DevOps) shows that fewer than 20% of enterprise security teams have engaged with their DevOps groups to actively and systematically incorporate information security into their DevOps initiatives. For example, one of the key capabilities of these technologies – the ability to start up and power down almost instantly – has created a significant security challenge for enterprises.

Unfortunately, DevOps security ― or DevSecOps as it is now called ― is often underrepresented for the following reasons:

Most security professionals are not familiar with the commonly used tools in the DevOps pipeline; especially as it relates to their interoperability and automation capabilities;

Most security professionals don’t know what containers are, let alone what their unique security challenges might be;

Security is perceived as counterproductive to DevOps agility; and

Today’s security infrastructure is still based on hardware designs, which often lag the concept of software-defined and programmability, which makes it challenging to incorporate security controls into the DevOps pipeline in an automated fashion.

While microservices and containers provide significant benefits, they also introduce unique new risks. As is usually the case with emerging technologies, microservices and containers were not inherently architected with security in mind. In most organizations, they are not yet covered under the enterprise security plan. Since they are likely already deployed somewhere within the organization, these technologies should be considered as part of the attack surface that needs to be protected.

There are several steps that both information security and DevOps teams can take to minimize their attack surface in the context of these technologies and development practices:

1. Hardening of the container: The underlying OS needs to be secured to prevent container breaches from affecting the host. For this, Linux provides several out-of-the-box security modules.

2. Securing the DevOps pipeline: Apply privileged access management practices across the entire DevOps pipeline to assure that only authorized users gain access to the environment and limit lateral movement by bad actors.

3. Vulnerability scanning: Conduct deep scanning of container images for vulnerabilities before run time.

4. Continuous monitoring of container images: Prevent exploits and breakouts by detecting root privilege escalations, port scans, reverse shells, and other suspect activity in containers and hosts during run time. 

Ultimately, organizations will continue to accelerate their use of microservices and containers to increase business efficiency and agility. In turn, cyber adversaries will look to exploit this attack surface for their own purposes. To protect this new layer in the IT stack, DevOps should work with information security teams to implement best practices early in the application development process.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet