Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Dave Meltzer
Dave Meltzer
Connect Directly
E-Mail vvv

Embedding Security into the DevOps Toolchain

Security teams need to let go of the traditional security stack, stop fighting DevOps teams, and instead jump in right beside them.

The adoption of DevOps continues to grow rapidly, and security teams are still trying to keep up. A natural starting point has been to focus on application security and securing the code itself. Although this is definitely an important piece of the puzzle, DevOps today has moved beyond just building application code into binaries into building complete system infrastructure in containers and virtual machines.

With this increased scope of DevOps comes all of the risks of the tens of thousands of known vulnerabilities and misconfiguration issues associated with the operating system, services, and system components included in the build. Just performing security assessments on the source code alone is not sufficient to identify these risks.

With the focus on speed and providing customers a constant stream of new features, DevOps teams typically haven't prioritized security first. Security is widely believed to be an inhibitor to agility, and using traditional security methods can be a bottleneck to DevOps agility. Security and IT operations teams understand that it's not sustainable to leave security out of the picture completely, but if security doesn't work at the speed of DevOps, it will continue to be pushed aside. This is why integrating security into the actual DevOps life cycle is key to managing risk effectively in the world of rapid development.

When looking to implement security at the speed of DevOps, one should understand what DevOps teams mean by the "CI/CD pipeline" and what that looks like. (CI refers to continuous integration, and CD refers to continuous delivery.)

Continuous integration is the concept that developers should be checking-in new code on a frequent basis (this could be several times a day). Code is checked in to a source code repository like GitHub, where an automatic build system, such as Jenkins, compiles the code and checks the new build to ensure the code didn't break anything.

The new build then continues onto the continuous delivery stage, where it is automatically deployed into testing environments for more involved end-to-end, load, performance, and integration tests. If everything passes, the new build is ready to be deployed to production. 

When deploying the new build, the DevOps team needs to define the right environment to run the applications and then ensure that all components are configured correctly. Tools such as Ansible, Chef, and Puppet are used for this.

Integrating Security into the Process
By understanding the CI/CD pipeline, security teams can see where it makes sense to put security controls in place and how they can match up to the existing DevOps workflow.

As mentioned, checking the source code being committed into the CI is a good first measure. However, many organizations leave it at that when they should go on to address the overall application infrastructure as it moves through the pipeline. It's not just code going through CI/CD process; operating systems, third-party components, middleware, and databases are being built and deployed along with that code.

The CI/CD process involves a DevOps toolchain, a set of automated tools facilitating the building, testing, environment configuration, and deployment of these systems. By integrating security into this toolchain, organizations can add effective quality gates that fit within the existing process to assess for vulnerabilities, configurations, and compliance with frameworks and/or organizational standards. It's important have quality gates and assessments at the different stages of building, testing, and deploying because many changes can happen between the code committing and the system deploying. It's often more costly and frustrating to reject applications at the end of the CI/CD versus having visibility and addressing issues along each stage.

The most effective way to do this is to integrate security tools with CI/CD build tools (e.g., Jenkins, TeamCity, and Bamboo) and CI/CD configuration tools (e.g., Puppet, Chef, Ansible, and Salt) to fully automate these assessments. The assessments can then either stop issues from continuing down the pipeline or at least provide visibility into the risk the business is accepting. To ensure vulnerabilities aren't slipping through the cracks, having the additional ability to dynamically test systems in a live sandbox would be a great benefit.

Just as important as preventing issues from going into production, organizations will want to monitor and maintain the integrity of their production environments. Several, perhaps hundreds, of production environments were configured specifically to make the DevOps-produced applications work, so once you've set it up correctly, you want to monitor for any configuration changes.

DevOps will continue to grow, so organizations must implement security solutions that work at the speed of DevOps. DevOps is the new world of developing, releasing, and updating applications for a growing number of enterprises; therefore, security teams need to let go of the traditional security stack, stop fighting DevOps teams, and instead jump in right beside them.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info

David Meltzer is Chief Technology Officer at Tripwire, a leading provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies (www.tripwire.com). He began building commercial security ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...