Securing your DevOps

Did you know that the average adult lies between 0.59 and 1.56 times a day? Well, now you know! I bet when it comes to security in our IT
operations this average is several orders of magnitude bigger. Mostly we lie to ourselves by narrating „I’ll come back to it later“, „it‘s not that bad“, „no one’s gonna know“ and my favorite – „I’ll just put this secret password in this obscure file no one ever gonna be looking for“. So let’s face the music and talk security, Let discuss what are actual tools that can cover our bottoms in terms of increasing the robustness of our DevOps security. After all, everyone talks about how important this security thing is all the time, might as well do
something about it. Granted when we see a big headline in the media about a cyber-incident at some company usually, it is a result of some sort of external attack and by extension, since DevOps is mostly an internal thing we don’t really associate it with risks to our internal systems, however as we go more and more into the cloud and remote developers are becoming standard rather than exception the line between „internal“ and „external“ becomes blurred. Furthermore, the disturbing truth is, that more than half of cyber attacks come from within. Scary, I know.

Planing

It all starts with the planning of your DevOps chain; starting from development and ending with monitoring. We have to consider not only the functional aspects of our pipeline but also who will have what kind of access to which components and what are associated risks, how can they be mitigated, and what tools can be employed to help us with the task. Better yet, we have to find a way to automate security in such a way that we don’t even have to think about it, one of DevOps goals is maximum automation.

The Source Code

Some sort of testing for errors and later UAT is standard practice, however, it is essential to have static and dynamic code tests running at all times.

Static code testing tools like Checkmarx and Fortify provide such capabilities. They can automatically scan the source code and identify vulnerabilities in the codebase, such as SQL injections, cross-site scripting, and insecure data storage. Meanwhile, tools like Veracode and SonarQube offer dynamic scanning capabilities that assess the health and security of your codebase. They not only identify security vulnerabilities but also assess code quality and compliance with coding standards. This can help maintain code hygiene and ensure compliance with security policies and coding standards, preventing the introduction of vulnerabilities from the beginning.

The Pipeline

You can integrate security tools directly into your pipelines to provide immediate feedback to developers about potential security issues. Suites like Snyk can provide comprehensive coverage and even suggest AI-powered quick fixes. You just have to click the button.

The (Continuous) Scanning

The focus here is on simulating attacks and identifying vulnerabilities. Burp Suite and OWASP ZAP offer automated security testing capabilities. They can help security teams and developers simulate common attacks, such as SQL injection, and detect vulnerabilities like broken authentication or sensitive data exposure. These tools provide actionable reports that guide remediation efforts. Don’t let the hackers scan it for you, do it yourself first.

The Containers

Twistlock and Anchore provide container security scanning and image assurance. They can scan container images for known vulnerabilities and ensure that they adhere to security best practices. This minimizes the risk of deploying containers with known security issues into production environments. Failing to take care of your containers/infrastructure is like having a really good password on your laptop but leaving it unattended everywhere… or as we like to say – you only need to find code vulnerability if you don’t have the root.

The Deployment

To secure infrastructure as code, commercial solutions like Terraform Enterprise and AWS CloudFormation provide features to automate and secure your infrastructure deployments. These tools enable the codification of infrastructure configurations, which can be version controlled, reviewed, and audited, reducing the risk of misconfigurations and ensuring a secure infrastructure setup. Remember CityBee?

The Secrets

HashiCorp Vault is an amazing tool to make sure your sensitive credentials are as well protected as the KFC spice formula. It ensures the protection of sensitive data such as API keys, passwords, and certificates. By using such tools in the CD phase, you can ensure that secrets are securely stored, accessed, and rotated, minimizing (if not eliminating) the risk of unauthorized access to sensitive information.

The Monitoring

Splunk and ELK Stack have become industry standard tools
years ago. Use them to help in continuous monitoring by aggregating and analyzing logs in real-time. They have sophisticated alerting mechanisms and anomaly detection, enabling you to detect and respond to security incidents promptly.

The Improvement

Good old Jira and GitLab provide task and incident management capabilities. Use them to track and manage security-related tasks, vulnerabilities, and incidents. It helps in maintaining transparency and accountability for addressing security issues and driving continuous improvement.

The Humans

AKA the weakest link. As an IT auditor, I always find this area to be the most challenging. Good social engineering can bypass and hijack a lot of careful planning of security. There is no automation of humans, unfortunately, but they can be trained! Train your staff, bring awareness to your colleagues, discuss your security practices in the meetings, and explain why it is important to your company. How to work with sensitive information, and what communication channels to use might be self-explanatory to you, but a coding genius who is so focused on delivering that next best thing on time sometimes needs to be reminded.

There is a term “DevSecOps” for a reason. The automation and continuous improvement opens a lot of doors to automate and improve security as well. But to enable it you have to be mindful of every step of your DevOps journey. Stay safe!