Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Neglected Step Child: Security in DevOps

The use of microservices and containers like Docker have led to a revolution in DevOps. Providing the agility that business have long awaited, these new technologies also introduce inherent security implications that cannot be ignored at a time when the enterprise attack surface continues to grow wider. Let’s consider these risks and how organizations can minimize their exposure to them.

The use of microservices and containers like Docker have led to a revolution in DevOps. Providing the agility that business have long awaited, these new technologies also introduce inherent security implications that cannot be ignored at a time when the enterprise attack surface continues to grow wider. Let’s consider these risks and how organizations can minimize their exposure to them.

According to a recent report by 451 Research, nearly 45% of enterprises have either already implemented or plan to roll out microservices architectures or container-based applications over the next 12 months. This confirms the hype surrounding these emerging technologies, which are meant to simplify the life of application developers and DevOps teams. Microservices can break down larger applications into smaller, distinct services; whereby containers in this context are viewed as a natural compute platform for microservices architectures.

Microservices and containers enable faster application delivery and improved IT efficiency. However, the adoption of these technologies has outpaced security. A recent research study by Gartner (DevSecOps: How to Seamlessly Integrate Security into DevOps) shows that fewer than 20% of enterprise security teams have engaged with their DevOps groups to actively and systematically incorporate information security into their DevOps initiatives. For example, one of the key capabilities of these technologies – the ability to start up and power down almost instantly – has created a significant security challenge for enterprises and expanded their attack surface dramatically.

Unfortunately, DevOps security is often underrepresented for the following reasons:

• Most security professionals don’t know what containers are, let alone what their unique security challenges might be;

• Security is perceived as counterproductive to DevOps agility; and

• Today’s security infrastructure is still based on hardware designs, which often lag the concept of software-defined and programmable, therefore making it challenging to incorporate security controls into the DevOps workflows in an automated fashion.

While microservices and containers provide significant benefits, they also introduce unique new risks. As is usually the case with new technologies, microservices and containers were not inherently architected with security in mind. In most organizations, they are not yet covered under the enterprise security plan. Since they are likely already deployed somewhere within the organization, these technologies should be considered as part of the attack surface that needs to be protected.

Advertisement. Scroll to continue reading.

There are several steps that both information security and DevOps teams can take to minimize their attack surface in the context of these emerging technologies and development practices:

1. Provide DevOps teams with secure development best practices training to improve coding security.

2. Enforce version control best practices for all applications as well as for all scripts, templates, and tools used in DevOps environments.

3. Incorporate automated security vulnerability and configuration scanning for open source components and commercial packages, as many modern applications are often made up of vulnerable open-source components and frameworks.

4. Automatically scan container images prior to deployment. Since containers just “live” for a short period of time, security gaps might not be discovered in the monthly or quarterly security scans, thereby creating a blind spot as the vulnerabilities continue to exist.

5. Maintain standard configurations and container profiles to minimize the attack surface further.

Ultimately, organizations will continue to accelerate their use of microservices and containers to increase business efficiency and agility. However, security practitioners have to apply a more holistic approach and incorporate DevOps environments and processes into their cyber risk assessments. It’s about time that SecOps and DevOps team up.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem