What is DevSecOps?
As enterprises prioritize application modernization, they’re moving rapidly to adopt containers and cloud native practices, both of which require a new approach to security. DevSecOps can be defined as an advanced approach to security that simplifies and automates container operations across clouds, integrates security throughout the container lifecycle, and enables teams to deliver secure, high-quality software to customers more quickly.
What is the relationship between DevOps and DevSecOps?
The DevOps movement unites software development and operations teams. DevSecOps—shorthand for development, security, and operations—is an evolution in the DevOps mindset that further elevates the importance of security. DevSecOps engineering weaves security into every aspect of the software development lifecycle (SDLC), automating security policy compliance and streamlining threat response and remediation.
Security and the DevSecOps pipeline
Application modernization utilizes containers and microservices as part of a holistic DevOps practice. A simple definition of DevSecOps is integration of security into every phase of the DevOps pipeline, including initial design through building, testing, deployment, and Day 2 operations.
DevSecOps: More than a buzzword
When a team adopts DevSecOps practices, security is engineered into every aspect of software development, bringing together development, operations, and security professionals. By involving teams from different parts of the SDLC, DevSecOps enhances your security posture, while streamlining the path to production and accelerating the delivery of modern applications.
Benefits of DevSecOps
Security can often pose a challenge to the rapid release cycles typical of DevOps. DevSecOps has emerged as a unifying approach for enterprises, redefining security requirements within the context of the cloud native ecosystem and aligning the goals of DevOps and security teams. DevSecOps engineering brings with it specific benefits:
- ◼ Accelerating software delivery. Shift security earlier in your development and delivery pipeline, automate security processes, and streamline reporting to security and compliance teams, ensuring that security doesn’t become a bottleneck.
- ◼ Limiting security vulnerabilities. Automatically identify, manage, and patch common vulnerabilities and exposures (CVE), including scanning any prebuilt container images in the build pipeline for CVEs.
- ◼ Enhancing your security posture. Introduce security measures throughout the application lifecycle to ensure code is secure and that teams can remediate quickly when vulnerabilities are discovered.
- ◼ Ensuring the security of cloud native processes. Automate testing of containers, microservices, and the continuous integration and continuous delivery (CI/CD) pipeline.
DevSecOps and agile development
A CI/CD pipeline brings agility and automation to modern application development. DevSecOps engineering integrates active security checkpoints, testing, and container audits into the agile development process.
Ensuring security for containerized infrastructure and applications comes with a few requirements:
- ◼ Development environment. Many programming language frameworks make adopting recommended security practices and patterns easier for developers. Using these frameworks will help development teams create secure applications by default.
- ◼ Automated container packaging. Automating the process of building containers, closely tracking container contents, and automatically rebuilding whenever updates occur to a container’s components can help ensure security.
- ◼ Container image registry. Create a single, private container registry for approved container images and base OS images and only allow container images that come from approved sources to be deployed.
- ◼ Validated catalog of runtimes and images. An approved catalog ensures vulnerabilities don’t slip in.
- ◼ Open source-aligned Kubernetes. A certified Kubernetes distribution with Cluster-API-driven lifecycle management provides a secure, uniform environment to run containers.
- ◼ Centralized management for multiple clusters. The ability to view every cluster under management—including its status, version, running workloads and security policies—and upgrade clusters consistently becomes a necessity as the number of clusters grows.
- ◼ Connect and protect applications. Communication between the containers that make up an application can be vulnerable to outside threats and must be secured and monitored.
- ◼ Observability. The need for observability extends to every layer of the application and infrastructure stack. It is crucial to verify that security policies are doing what they were intended to do.
What to keep in mind when considering DevSecOps
Manual security practices get in the way of DevOps, slowing down software development. You need an approach to security that’s developer friendly. Organizations can simplify and secure the container lifecycle by providing the core elements a development team needs to build secure apps, deliver them to customers quickly, and once in production, manage them at scale across clouds.
As you start implementing DevSecOps practices, you need to consider a number of practical aspects, including tooling, platforms, and people. Whether you’re just starting to explore if DevSecOps is a viable goal for your organization or have already embraced it and want to increase the benefits, velocity and security should not be mutually exclusive.
Organizations need agility and automation that doesn’t sacrifice security or compliance. This calls for better collaboration and communication among development, operations, and security teams. A strong DevOps practice relies on cooperation throughout the application lifecycle. Whether you’re automating software builds, testing, or deployment, DevOps teams work together, sharing responsibility for the entire process. Implementing DevSecOps extends this collaboration, embracing a “shift left” philosophy that brings security teams into the DevSecOps pipeline from the start, improving day-to-day and overall security of application development and resulting in faster, safer, and more cost-effective software delivery.
2. Security automation
Traditionally, security has been a very manual process, often implemented by a separate organization. DevSecOps tries to make security automation as easy as configuration and release management. Having an integrated runtime environment (your Kubernetes environment) and an integrated build process gives you the ability to rapidly deploy a patch to fix and redeploy a container. When you have an integrated build process, you have control over how containers are built and what goes in them, and the ability to rapidly rebuild containers without having to involve developers when a container is in production.
3. DevSecOps tools
To effectively implement security throughout the application lifecycle, it’s crucial to use the right DevSecOps tools. There is a wealth of open source software (OSS) for DevOps and DevSecOps, so selecting the right tooling can be a nightmare.
Focus on DevSecOps tools that enable you to create and secure the software supply chain from start to finish—from automated container builds to applications running safely in production on hardened Kubernetes clusters to the management of policies across clusters and clouds.
Consider the need for these capabilities:
- ◼ Secure the code. Development frameworks that enable you to create secure applications by default; automated container build and maintenance; access to validated, consistent application building blocks.
- ◼ Secure the process. Connecting automated builds into a CI/CD workflow; container registry that scans and signs containers as secure; restrict production deployments to come from "golden" registry only.
- ◼ Secure the infrastructure. Manage policies consistently across clusters; role-based access control policy for accessing the runtime platform; automated cluster lifecycle management.
- ◼ Secure intracontainer communications. Monitor and secure interaction of application components; encrypt data in transit; high-performance web application firewall.
4. Kubernetes security
Kubernetes clusters provide a relatively simple platform on which to create and run applications. Securing them and ensuring they include ubiquitous and uniform policies, however, is a major challenge for security teams—one that requires collaboration with development and operations teams.
For applications, explicit control policies should be put in place to allow only containers from trusted sources to run on production clusters. Your teams should also consider automated pipeline workflows along with centralized management dashboards rather granting direct access to the platform. DevSecOps pipelines can automatically enforce your policies to prevent unauthorized containers from being deployed to production.
User credentials for Kubernetes should be stored securely off the platform, preferably in a centralized management system for all runtime environments. Treat these credentials as you would for any other business-critical system. There are many options available, but integration capabilities with Kubernetes can vary widely. In most cases, a Kubernetes-native secrets management system (in other words, one built specifically for Kubernetes) is preferred.
The containers and production platforms are the product of an infrastructure-as-code approach. This means that operators, security, and audit teams can validate that only authorized configurations for the platform and running containers are in place. It can also allow for easy identification of past changes as well as new versions that are deployed, ensuring that all changes are authorized, meet your governance requirements, and are allowed in the production environment.
Another critical element of Kubernetes security is keeping up with upgrades and patches to the platform itself. This can become burdensome for platform teams, preventing them from deploying updates and patches consistently and increasing vulnerability to attacks.
To streamline this process across Kubernetes platforms, all clusters need to be managed using a uniform API. Examples include Cluster API, kubeadm, KOPS, and a host of others. These API layers allow individualized management of a single Kubernetes cluster for actions like bootstrapping and upgrading, but also more complex events like backup and recovery. They should be a part of an overarching management system wherein operations teams can implement global policy once and allow the management system—along with the individual API layers for each cluster—to take action.
This practice helps eliminate old deployments and misconfigurations on the Kubernetes cluster at regular intervals and disrupts persistent threats that may be running on a cluster, like command-and-control (C&C) botnets or data exfiltration attacks.
DevSecOps in the wild
|A worldwide technology group, Thales specializes in aerospace, defense, security, and more. They have embraced DevSecOps to automate core security functions as software is being developed, rather than bolting it on after the fact. They implement security checkpoints throughout the development process.|
|Kroger is a retailer with a mission to feed the human spirit. Kroger has worked to build higher quality software faster, by adopting modern development methods. Developers used to spend weeks implementing security procedures; it now takes seconds.|
|Swisscom is Switzerland’s leading telecom company. They operationalized Kubernetes for multi-cloud enterprises and service providers, addressing a broad range of Kubernetes challenges including security, monitoring and logging that ensures they can keep customer workloads separate and data secure.|
DevSecOps at VMware
The transition to DevSecOps is more than just the adoption of a technology stack. VMware Tanzu offers the DevSecOps tools and expertise to help you accelerate your journey.
Simplify and secure the software development lifecycle to speed the delivery of modern apps at scale.
Get a curated catalog of production-ready open source software, customizable for your needs.
Automate container creation, management, and governance at enterprise scale.
Deliver the outcomes you want in the time frame you need.