Security Experts:

Neglected Step Child: Security in DevOps

The use of microservices and containers like Docker have led to a revolution in DevOps. Providing the agility that business have long awaited, these new technologies also introduce inherent security implications that cannot be ignored at a time when the enterprise attack surface continues to grow wider. Let’s consider these risks and how organizations can minimize their exposure to them.

According to a recent report by 451 Research, nearly 45% of enterprises have either already implemented or plan to roll out microservices architectures or container-based applications over the next 12 months. This confirms the hype surrounding these emerging technologies, which are meant to simplify the life of application developers and DevOps teams. Microservices can break down larger applications into smaller, distinct services; whereby containers in this context are viewed as a natural compute platform for microservices architectures.

Microservices and containers enable faster application delivery and improved IT efficiency. However, the adoption of these technologies has outpaced security. A recent research study by Gartner (DevSecOps: How to Seamlessly Integrate Security into DevOps) shows that fewer than 20% of enterprise security teams have engaged with their DevOps groups to actively and systematically incorporate information security into their DevOps initiatives. For example, one of the key capabilities of these technologies – the ability to start up and power down almost instantly – has created a significant security challenge for enterprises and expanded their attack surface dramatically.

Unfortunately, DevOps security is often underrepresented for the following reasons:

• Most security professionals don’t know what containers are, let alone what their unique security challenges might be;

• Security is perceived as counterproductive to DevOps agility; and

• Today’s security infrastructure is still based on hardware designs, which often lag the concept of software-defined and programmable, therefore making it challenging to incorporate security controls into the DevOps workflows in an automated fashion.

While microservices and containers provide significant benefits, they also introduce unique new risks. As is usually the case with new technologies, microservices and containers were not inherently architected with security in mind. In most organizations, they are not yet covered under the enterprise security plan. Since they are likely already deployed somewhere within the organization, these technologies should be considered as part of the attack surface that needs to be protected.

There are several steps that both information security and DevOps teams can take to minimize their attack surface in the context of these emerging technologies and development practices:

1. Provide DevOps teams with secure development best practices training to improve coding security.

2. Enforce version control best practices for all applications as well as for all scripts, templates, and tools used in DevOps environments.

3. Incorporate automated security vulnerability and configuration scanning for open source components and commercial packages, as many modern applications are often made up of vulnerable open-source components and frameworks.

4. Automatically scan container images prior to deployment. Since containers just “live” for a short period of time, security gaps might not be discovered in the monthly or quarterly security scans, thereby creating a blind spot as the vulnerabilities continue to exist.

5. Maintain standard configurations and container profiles to minimize the attack surface further.

Ultimately, organizations will continue to accelerate their use of microservices and containers to increase business efficiency and agility. However, security practitioners have to apply a more holistic approach and incorporate DevOps environments and processes into their cyber risk assessments. It’s about time that SecOps and DevOps team up.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).