Best Practices in Securing DevOps

The growing demand for faster software delivery, using public cloud environments, microservices, and containers, has triggered a discussion on the role of security in the world of DevOps.

At this year’s DevOps Connect at RSA Conference 2018, nearly 1,200 security professionals gathered to explore ways for embedding security into the development pipeline. With adoption rates in the enterprise ecosystem reaching a whopping 81%, DevOps has become a tempting target for cyber adversaries. The hijacking of Tesla’s cloud-based DevOps platform is just one example that illustrates why these environments must be incorporated into the overall security strategy to cover an ever-expanding attack surface. 

Microservices and containers enable faster application delivery and improved IT efficiency. However, the adoption of these technologies has outpaced security. A research study by Gartner (DevSecOps: How to Seamlessly Integrate Security into DevOps) shows that fewer than 20% of enterprise security teams have engaged with their DevOps groups to actively and systematically incorporate information security into their DevOps initiatives. For example, one of the key capabilities of these technologies – the ability to start up and power down almost instantly – has created a significant security challenge for enterprises.

Unfortunately, DevOps security ― or DevSecOps as it is now called ― is often underrepresented for the following reasons:

● Most security professionals are not familiar with the commonly used tools in the DevOps pipeline; especially as it relates to their interoperability and automation capabilities;

● Most security professionals don’t know what containers are, let alone what their unique security challenges might be;

● Security is perceived as counterproductive to DevOps agility; and

● Today’s security infrastructure is still based on hardware designs, which often lag the concept of software-defined and programmability, which makes it challenging to incorporate security controls into the DevOps pipeline in an automated fashion.

While microservices and containers provide significant benefits, they also introduce unique new risks. As is usually the case with emerging technologies, microservices and containers were not inherently architected with security in mind. In most organizations, they are not yet covered under the enterprise security plan. Since they are likely already deployed somewhere within the organization, these technologies should be considered as part of the attack surface that needs to be protected.

There are several steps that both information security and DevOps teams can take to minimize their attack surface in the context of these technologies and development practices:

1. Hardening of the container: The underlying OS needs to be secured to prevent container breaches from affecting the host. For this, Linux provides several out-of-the-box security modules.

2. Securing the DevOps pipeline: Apply privileged access management practices across the entire DevOps pipeline to assure that only authorized users gain access to the environment and limit lateral movement by bad actors.

3. Vulnerability scanning: Conduct deep scanning of container images for vulnerabilities before run time.

4. Continuous monitoring of container images: Prevent exploits and breakouts by detecting root privilege escalations, port scans, reverse shells, and other suspect activity in containers and hosts during run time. 

Ultimately, organizations will continue to accelerate their use of microservices and containers to increase business efficiency and agility. In turn, cyber adversaries will look to exploit this attack surface for their own purposes. To protect this new layer in the IT stack, DevOps should work with information security teams to implement best practices early in the application development process.