Making the Move from DevOps to DevSecOps
In this post, I will summarize the principles discussed in the recent AWS Marketplace webinar, “Making the Move from DevOps to DevSecOps.”
If you are on your journey to the cloud with AWS, you are probably already using some DevOps approaches, so you can spin up new Virtual Machines (VMs), test, stage, and deploy applications quickly without having to wait for infrastructure to be manually configured. Security is often overlooked in this process, seen as something owned by the security team, or “bolted on” at the end. Leaving security out of DevOps is asking for trouble, since you often see situations where developers deploy an application in beta and then forget to spin the instance down when they are finished. These resources are visible to hackers and can provide an entry point for threats. The question becomes if you need to secure your entire environment (including dev/test), why are you still at DevOps, instead of DevSecOps?
DevSecOps is certainly about security, but it is just as much about the processes you use to build applications and helping to ensure security is built in to those processes by design. Think of DevSecOps as putting security in the middle of Dev/__/Ops. Cloud security and compliance is a shared responsibility between AWS and the customer. As the cloud provider, AWS is responsible for security OF the cloud, including the hypervisor and hardware. Customers are responsible for security IN the cloud, by securing your applications and network with services from third-party vendors. DevSecOps in the cloud takes that approach to security and builds it into your development and operational processes.
Security Through Automation
Organizations can have a “security first” mentality and good security tools, but security can be only as strong as the newest employee–or the one who is hurrying to meet a deadline. Automation is core to DevOps, but some organizations have not yet taken the steps to automating processes to build security into the application by design. Some organizations have the needed skills in house, but others will need to leverage services from a security integrator, who can provide services to define processes and roles, integrate security tools, and automate the processes for your team.
Getting to DevSecOps
To get started building your DevSecOps approach, take a step back and ask yourself, “What am I trying to accomplish, and what security controls are needed?” This step helps you create a focused use case, and from there, you can identify options for security tools, automation requirements, and organizational roles and processes that you need to address. For example, a common DevSecOps use case is assuring that your golden image, an Amazon Machine Image (AMI), does not have vulnerabilities and remains secure through the development lifecycle. AWS refers to this use case as a Secure AMI Factory. For this use case, you would want to consider layered security controls, starting with an anti-virus or file integrity monitoring solution, such as Trend Micro Deep Security or Symantec Cloud Workload Protection. Next, consider using a vulnerability scanning solution such as CloudPassage Halo or Dome9 Arc to allow you to define standards for your AMI and validate adherence to those standards. And, finally, include an audit, logging, and monitoring solution to track changes to the in-use AMIs that combines account activity and AWS resources from AWS CloudTrail and AWS CloudWatch with data on security incidents to provide ongoing insights, such as Splunk Enterprise or AlienVault USM Anywhere, as well as other controls, such as Identity and Access Management (IAM) and network security. You can leverage internal staff or a systems integrator, to integrate and automate these tools and processes to assure that the golden image remains secure throughout the development lifecycle.
These solutions and many others are available on AWS Marketplace, a curated catalogue of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on your AWS environment and are billed based on consumption, just like AWS services. Look for offerings from AWS Security Competency Partners to find solutions that are well architected for AWS environments and that use AWS services.
For more details on how to make the move from DevOps to DevSecOps, view the recorded webinar.
About the author
Steve Andrews is a Senior Category GTM Manager for AWS Marketplace. In his spare time, he enjoys juggling responsibilities and fun with his three kids, playing golf and tennis, and learning about new things.