If you understand DevOps, you probably also intuitively understand DevSecOps. Why? Because DevSecOps, to put it simply, is DevOps spelled out fully. It’s not a completely new avatar of DevOps with security bolted onto it. Rather, it’s what DevOps has always been—a way to ship high-quality software faster. Quality and speed are key to enabling security for applications. Thus, security has always been an implicit part of DevOps, and now, we’re appropriately terming it as DevSecOps, calling out the focus on security.

That said, putting DevSecOps into practice can be tough because of the practical limitations on IT professionals’ time and mental energy. DevOps engineers are expected to wear multiple hats in an organization. They need to be part SRE, part sys admin, part developer, part QA, and part security engineer.

That begs the question: How do you actually get started doing DevSecOps? Even if you already understand the core tenets undergirding DevSecOps, how do you put them into practice?

Keep reading for practical answers to these practical questions.

Automation first

Automation has been the defining characteristic of DevOps. With DevSecOps, this is no different. Manual steps are most likely to introduce security vulnerabilities. The more automated the entire pipeline and security configuration is, the safer it is. Automation doesn’t just bring speed, enabling you to upgrade and update outdated artifacts—It also gives you a clear picture of what happened, and lets you make tweaks to avoid those errors from happening in the future.

The key to automation in today’s cloud-native development environments is to manage infrastructure as code. This means avoiding manual creation and configuration of instances. It requires you to define resources via a templated .yaml file which can be replicated and modified in the future. There are many tools that enable this type of infrastructure management. If you’re committed to the AWS ecosystem, CloudFormation is the place to get started with infrastructure as code. If you’re looking for a cloud-agnostic version, Terraform does all that CloudFormation does and works beyond AWS. If your main platform is Kubernetes, the combination of Jenkins+Spinnaker enables this. Jenkins excels at build automation, versioning, and test automation, and Spinnaker enables deployment automation. Spinnaker, especially, is built on the concept of infrastructure as code, and is well integrated with Kubernetes.

Cloud security

Security in the cloud is different from the security of an on-premises data center. There are aspects of security that are owned by the cloud vendor, and other aspects of security that are owned by the user—This is the “shared responsibility” model. The first place to start for cloud security is defining roles for users. In AWS, for example, the IAM service lets you configure roles for each type of user, and lets you be very granular with permissions. Whether it’s application code, or EC2 instances, IAM lets you control access of all your resources within AWS.

Apart from IAM, AWS has other security features and tools. AWS Shield focuses on protecting applications from DDoS attacks. Similarly, AWS Macie uses machine learning to protect data stored in AWS. It scans all incoming and outgoing data for suspicious behavior and is able to predict vulnerabilities before they happen.

Container security

Security for monolithic applications running on VMs was fairly static. Containers bring in a new level of complexity. With multiple layers, many moving parts, and a lot more system data to monitor, container security is a different beast that needs to be tamed. It’s not enough to ask, “Is Docker secure?” Instead, you need to consider how each layer of Docker is secured. This includes the container runtime, and the container registry (including container images that are downloaded from a public registry).

Considering Kubernetes has cornered the container orchestration space, it’s vital to understand the security essentials for Kubernetes clusters. This includes isolating instances from each other, assigning resource quotas for instances, and segmenting the network using policies. Kubernetes also provides a secrets management feature which encrypts sensitive information like passwords and access tokens, and gives out access to resources on an as-needed basis.

Reporting and threat detection

When it comes to security, what brings it all together is reporting. For all the automation, cloud security and container security measures you put in place, you need reporting to monitor and track performance end-to-end. DevSecOps reporting will span multiple tools, each serving a different purpose.

It starts with metrics from tools like AWS CloudWatch or an application performance monitoring tool (APM). Metrics help give you the big picture of what’s happening. To go deeper, you need logs that bring out the minute details of what happened, and how it happened, in the right sequence. AWS has tools like CloudTrail which do log reporting, but you may want to use a dedicated logging tool like Sumo Logic to centralize logging and add in advanced analysis. By combining metrics and logs, you’ll be equipped to perform forensics when incidents occur.

Finally, a tool that gives you the edge as a DevSecOps practitioner is one that provides threat detection during runtime. While most reporting tools are good at reporting on past behavior, a tool like Twistlock can give you a true real-time update on the status of resources and attacks as they are happening. By using machine learning, these tools can spot an attack before it even happens. By configuring alerts, you can always stay ahead of attackers, and plug vulnerabilities before they cause damage.

Conclusion

DevSecOps involves a learning curve. As the application stack changes, so does the practice of security. While the underlying concepts of security are the same, the way they are interpreted and applied to a modern cloud-native stack is what is new. It takes understanding automation, security in the cloud, security for containers, and bringing it all together with robust reporting tools.

Interested in learning more? Check out this Twistlock infographic for 7 tips to Navigate Operationalizing DevSecOps.

Related DevSecOps Posts:

  • How To Operationalize DevSecOps Practices
  • A Checklist for DevSecOps When Choosing a Container Security Provider
  • Why Legacy Security Practices are Incompatible with DevSecOps
  • ← Back to All Posts Next Post →