DevSecOps Best Practices and Business Value - Part 2
June 25, 2020

Aliaksei Kulik
Exadel

It is important to not only pay attention to product delivery automation and speed but also to add security to software updates, critical system vulnerabilities, and correct system access control, which DevSecOps practices assist with.

Start with DevSecOps Best Practices and Business Value - Part 1

The following are DevSecOps best practices:

Principle of least privilege (PolP)

DevOps teams should always follow the principle of least privilege (PolP). This means if any automated system or account needs to be given privileges by another system, the requesting system should be given only the access that is needed to complete the work. Most requesting systems or teams should never be given full permissions, root, sys admin, or any other role that provides them with much more than is necessary. This is true even if it means that multiple requests will be made later for additional permissions.

Digital signature

A DevSecOps practice should concern itself with security during all steps previously touched by DevOps processes and personnel. Developers who are going to be writing new code, or changing existing code, should be authorized and trusted by the system.

System control versions should not only access authorization functionality, but also digital signature options. Only trusted people with a digital signature may transfer their changes to the code in the master branch. DevSecOps best practices dictate that if a source control system has these digital signature capabilities it should be using them to ensure that the code in the system is only added/modified by a trusted source.

Security tests

During Continuous Integration (CI), security tests can be performed. It is difficult and time consuming to check large code bases manually for security vulnerabilities. Using security testing helps save time and effort.

As it's often impractical to check the entire code security manually, especially when it comes to code built for enterprise products, there are systems for such security tests that help save DevOps teams' time and effort. Both static application security testing (SAST) and dynamic application security testing (DAST) can be performed as part of the CI workflow. SAST examines the codebase for vulnerabilities by peering into the code itself and looking for problems such as SQL injection. DAST requires a running version of the product and it is tested by attacking the working system and making sure it isn't vulnerable.

Detecting Common Vulnerabilities and Exposures (CVE)

There are several organizations whose products help to make sure that code or containers are secure, preventing common vulnerabilities and exposures. There are also non-commercial organizations, such as the Center for Internet Security (CIS), that provide security benchmarks for free with detailed installation descriptions and instructions. This helps teams to check the system's security level, understand common vulnerabilities and exposures of configuration and conduct semi-automated or automated testing.

There are also algorithms and tools that allow teams to initially define the security logic within the code. Such process is known as Threat Modelling, the main idea of which is to architect a safe application solution from scratch and analyze all possible vulnerabilities methods for existing applications.

Open source applications like OWASP Threat Dragon or Seasponge may help. There are also third-party products that allow developers to securely save and retrieve passwords, allowing teams to outsource password security and maintenance to specialist providers.

Monitoring

Once a product's code has been placed in source control and deployed, the system needs to be monitored.

It is important to distinguish between traditional infrastructure and system monitoring (even smart monitoring) and security monitoring.

Security monitoring needs to fill two key roles:

1. If a system is under attack, it should provide information about the entry point and escalation process for all affected systems

Various software or hardware solutions provide information on penetration. If network penetration has occurred, then this problem is usually solved by the IDS/IPS system, which allows for the detection of an attempt to penetrate and further spread along the internal perimeter of the network.

Systems based on the analysis of events from the host system allow teams to identify clearly prohibited actions, for example, executing a process from root, or repeated attempts to enter a password, check the availability of network ports and attempt to communicate over prohibited ports and protocols. All of this data allows teams to analyze and identify the entry point and escalation process.

For cloud native solutions and organizations there are mechanisms which are ready for collection and analysis. For example, there are Cloudtrail, Cloudwatch, Lambda and other services for AWS that allow you to implement a range of security tasks or serve as mechanisms in the process of ensuring information security.

2. Monitoring abnormal behavior

To monitor abnormal behavior, it is critical to know the system's normal state in order to make rules which will detect any unusual cases. The reporting here will allow the DevSecOps team and developers to take appropriate actions (modify existing rules or write new ones) to avoid future attacks.

Let's look at an example of a database inside Kubernetes when there is an attempt to gain access. When this happens, create a rule: send a notification when there are more than 30 attempts per one minute to gain access, which means that normal behavior, or "white list," will include less than 30 attempts per minute. A DevOps team member can build a middleware service that will accept all incoming communication from the application and check the status of the Database. A SecOps team member can create a "white list" with allowed applications, verifying a hash sum Docker container and is the last person who pushes a container to a registry, plus adding a secure transport layer and a certification authentication between all applications.

Finally, a DevSecOps member may use all the approaches mentioned above and automate the process by creating security rules and one authorization service.

Aliaksei Kulik is a Senior DevOps Engineer at Exadel
Share this

Industry News

April 19, 2021

Harness announced end-to-end integrations with Amazon (AWS) GovCloud, Microsoft Azure, and Google Cloud Platform (GCP) to help DevOps and engineering teams perform multi-cloud software deployments.

April 19, 2021

The latest release of Redgate’s database monitoring tool, SQL Monitor, now supports Amazon EC2 and RDS, and Azure SQL Database and Azure Managed Instances as well as on-premises SQL Server.

April 19, 2021

CodeLogic announced $16 million in Series A funding.

April 15, 2021

Docker announced general availability of the Docker Desktop for Mac [Apple Silicon], enabling developers to leverage the advantages of the latest Macs powered by the M1 chip and extending the reach of their Docker collaborative application development platform to a new architecture.

April 15, 2021

Software AG announced new innovations of its webMethods platform for APIs, Integration and Microservices. With this release, companies can simplify and accelerate their digital transformation initiatives while also speeding their adoption of cloud.

April 15, 2021

Skuid, a toolkit for creating unique and adopted Salesforce experiences, introduced the Skuid Chicago release, a set of features and enhancements providing more declarative support to app designers and builders.

April 14, 2021

SmartBear has integrated TestComplete, its UI test automation tool, with BitBar, its native mobile device cloud.

April 14, 2021

Elastic announced an expanded strategic partnership with Confluent to deliver the best integrated product experience to the Apache Kafka and Elasticsearch community.

April 14, 2021

Threat Stack announced its ability to support AWS Graviton2-based instances through the Threat Stack Cloud Security Platform.

April 13, 2021

Broadcom and Google Cloud announced a strategic collaboration to accelerate innovation and strengthen cloud services integration within the core software franchises of Broadcom.

April 13, 2021

Nylas announced the launch of Components, JavaScript UI/UX solutions that allow developers to bring productivity features to market faster without needing to design front-end elements from scratch.

April 13, 2021

Perforce Software announces its new version control desktop client — Helix Sync — enabling non-coders such as artists and designers to version digital assets, with a simple drag-and-drop UI.

April 12, 2021

ShiftLeft introduced ShiftLeft CORE, a unified code security platform.

April 12, 2021

GrammaTech announced a new version of its CodeSonar SAST (static application security testing) product that helps developers build safer and more secure code without disrupting workflows.

April 12, 2021

Panaya announced a strategic partnership with Being Guided, a Salesforce Consulting Partner, specializing in the CRM and Salesforce ecosystem, to bring Panaya's ForeSight solution to a wider audience.