DecSecOps, which is typically viewed as an integrated team of development, operational, and security practitioners that can securely deliver innovation within a defined scope to market, is an ideal that organisations have been vying to achieve. Even though today’s complex, dynamic cloud native projects require this level of cooperation, the majority of contemporary organisations are still unable to identify a proven DevSecOps formula.
The issue is that DevSecOps involves not only a change in technology but also in culture. Tenable has established seven habits that transform the way your teams collaborate and make the most of their strengths to help organisations successfully implement DevSecOps.
Unfortunately, there are more to it than just seven small “changes” that will guarantee success. To succeed, businesses must reevaluate their organisational and technical “habits” regarding how they securely develop, release, and run applications. With self-service access to cloud infrastructure, the cloud has completely altered the dynamics of traditional IT.
This white paper outlines these seven habits that take into account the organisational, cultural, and technical adjustments needed to efficiently manage security, compliance, and operational risks while quickening the pace at which new ideas are brought to market.
HABIT ONE: LEVERAGE IAC FOR REPEATABILITY AND DOCUMENTATION
Organizations must have the tools necessary to increase the consistency and speed of deployments as cloud native environments expand in size and complexity. Infrastructure must be protected at all stages of its lifecycle, from definition to runtime, at the same time. By enabling you to make changes to your environment in a way that can be tested, applied, and audited, Infrastructure as Code (IaC) provides agility and reliability. Additionally, it offers the crucial advantages of documentation and repeatability. The importance of these advantages in comparison to manual one-off processes quickly becomes apparent as more environments are deployed, each with its own specific traits and standards.
It is much simpler to comprehend how and why infrastructure is changing thanks to IaC’s continuous versioning and review of your infrastructure definitions.
IaC implementation enables security to be embedded much earlier in the lifecycle, which not only enables DevOps teams to deliver on business objectives quickly and at scale.
Your company will get closer to having immutable infrastructure—that is, infrastructure that is never changed once it is deployed—if these two factors are combined. Immutable infrastructure practises enhance teams’ ability to manage environments’ security and compliance.
HABIT TWO: START SECURING EARLY, ENABLED BY IAC
Integration Development News reports that 67% of data breaches that occurred in the past 18 months at American businesses (80% of companies1) were caused by incorrect cloud configurations. Our current security strategies are obviously ineffective, and common reasons for this include a lack of time to address issues and poor communication between the security and development teams. Involving security earlier in the process can help with either of these issues.
Threat modelling provides a potent opportunity to establish security controls targeted at those threats and to proactively identify threats. By examining IaC to learn what resources are being defined, how they are configured, and the connections between them, threat models can be created.
This gives you background information that will help you comprehend the risk that security findings pose as well as how they might create a breach path into the environment. Risk detection takes place well before deployment because this process is started with IaC.
Threat modelling aids in the identification of the threats that need to be protected against, and Policy as Code (PaC) offers a way to set up security controls for those threats. PaC can be incorporated into your infrastructure provisioning process to find and fix operational and security problems all the way through their lifecycles. Before code is pushed to a source control repository, security and operational policies can be enforced during design. By incorporating PaC into build pipelines, violations and risks are discovered, preventing problems from entering the runtime environment.
PaC can keep that secure posture by detecting violations and enforcing policy compliance during runtime. By incorporating PaC tools into your development process, you can automate security policy enforcement in your pipelines, creating guardrails that will help your team identify and address violations well before deployment.
HABIT THREE: SCAN IAC TO CATCH POLICY VIOLATIONS BEFORE DEPLOY
In addition to the operational advantages of IaC, you can deliver real-time feedback to developers and identify configuration errors and policy violations early in the development process. You can find and correct violations without slowing down the development process by continuously scanning IaC as developers commit code to their repositories.
Once more, we can see the tension between the Dev and Sec teams. Teams frequently use IaC’s automation features to provision and manage pipeline resources when using build pipelines. However, doing so puts the delivery process’s integrity at risk. The pipeline itself will automate the process of delivering the change to the production environment if an attacker compromises the pipeline or the IaC that shapes the pipeline.
Threat actors then have the chance to spread malware, gain access to data, or completely compromise the environment as a result.
The best defence against situations like this is to spot policy violations prior to deployment, which calls for integrating security during development and enforcing it throughout the infrastructure’s life cycle.
This paradigm, known as immutable security, is attained by abiding by the following three rules:
- Securing IaC by reducing risks prior to the provisioning of cloud infrastructure
- Detecting new resources and configuration changes that could pose a risk to cloud infrastructure in real time.
- Reconciling runtime changes with the baseline established through IaC eliminates risk posture drift.
You must make sure your IaC is the only source of truth if you want to maintain immutable security. To recognise configuration changes and evaluate them for risks, this necessitates continuous runtime monitoring. To ensure that compliant changes are not overwritten during deployment, the IaC must be remedied to reflect the change and create a new baseline. If the modification poses a risk, the cloud infrastructure must be redeployed using the secure baseline established by IaC, which will replace the dangerous modification.
DevSecOps and immutable infrastructure cooperate to prevent teams from unintentionally adding new risks to the runtime. If adjustments are necessary, they must be made to the IaC, which propagates the change through the pipelines and related security controls.
HABIT FOUR: SCAN APP/CONTAINER CODE TO CATCH VULNERABILITIES BEFORE DEPLOY
Cloud containers are a popular solution because of their speed and ease of use, but the problem is that the images, applications, and infrastructure widen the attack surface and create very real opportunities for security breaches.
It’s crucial to scan the infrastructure’s code in the same way that you should scan your IaC.
There are benefits and drawbacks to using SAST, DAST, and IAST for application security testing. While SAST (static application security testing) can identify flaws in applications as they are being developed, it can also frequently produce irrelevant or false-positive results.
Dynamic application security testing, or DAST, is able to spot vulnerabilities in active applications but is unable to pinpoint where in the code they are located.
Although IAST (interactive application security testing) offers many of the advantages of both DAST and SAST, it has the drawback of requiring particular language support.
To maintain container integrity and security, you have a number of reliable open source options at your disposal, including Semgrep (SAST), OWASP ZAP (DAST), and Clair (container scanning). The integration between Tenable and GitLab, which combines our expertise in IaC with GitLab’s capacity to identify application vulnerabilities and automate DevOps procedures, is another thing that we’re excited about. You have the chance to improve how you prioritise and remediate by developing a deeper understanding of the context and exploitability of such vulnerabilities. This will ensure that the most crucial problems are given the proper attention.
HABIT FIVE: CREATE AUTOMATIC PULL REQUESTS FOR VIOLATIONS
Only 12% of the nearly 400 IT and cybersecurity professionals surveyed by ESG earlier this year had not experienced cyber incidents that were directed at their cloud-native apps or infrastructure. Although finding the violations that cause these incidents is obviously crucial, it only addresses about half of the issue. As we previously stated, developers are not security specialists.
They therefore require tools that will enable them to address risk without impeding development.
When a configuration error is found, developers should be made aware of it and given the code to fix it via a pull request or merge request.
These fixes can be created automatically by technologies like Remediation as Code (RaC) and submitted right to the repository holding the offending code.
The recommendation is examined by developers, who then incorporate the change into their code as part of their routine process.
This prevents bottlenecks from forming while the problem is addressed, the IaC is established as the secure baseline, and the infrastructure is deployed.
Adopting RaC enhances your security posture and enables you to do more than just fix problems. Additionally, it enables self-healing cloud infrastructure, in which configuration errors are automatically found and promptly fixed without ever slowing down development speed.
RaC is closely aligned with PaC, so it functions both during development and during runtime, where PaC is used.
HABIT SIX: UTILIZE POLICY ENFORCEMENT DURING DEPLOY
It can be challenging to foresee potential deployment problems early in the development process when working with complex, dynamic systems. Due to necessity, many organisations conduct security reviews in the later stages. However, if issues arise later on, it is frequently difficult to reproduce and address them because of manual processes. Due to the friction this causes during deployment, the pipeline for new ideas may become hampered.
RaC facilitates the effort needed to address any issues, and we’ve included habits to help ensure that vulnerabilities and violations are identified before deployment. The artefacts you created are secure, so you can be sure of that. Typically, deployment procedures use the IaC and artefacts to deploy into a runtime environment. However, you can’t just assume that artefacts used in deployments will only be those that have been previously secured; you should set up PaC controls to check that artefacts and IaC are compliant while the deployment is actually taking place.
HABIT SEVEN: UTILIZE POLICY ENFORCEMENT IN RUNTIME
The work is not finished once you have established a secure posture through IaC during development.
Runtime configuration changes to cloud infrastructure happen frequently and for a variety of reasons. In fact, we discovered that more than 90% of organisations permit this. While runtime modifications are occasionally required, they violate immutability and cause the configuration to diverge from what was specified through IaC.
Enforce the same policies in runtime that are enforced during the development and deployment processes to maintain a secure posture. The goal of this enforcement is to stop configuration changes that violate the policies.
Utilize Drift as Code features to continuously check the runtime environment for configuration drift and to make sure that any compliant changes made there are propagated back to the IaC. Teams can maintain immutability and guarantee that the runtime configuration consistently reflects the IaC by automating the propagation of safe runtime changes back to the IaC. Because developers don’t have to worry about overwriting crucial runtime configurations, friction in the deployment process is reduced. Redeploy from IaC right away if non-compliant changes are found during runtime in order to remove the dangerous change.