Discover more from Balanced Security
Ten Security Concepts Every DevOps Team Should Know
Development and security teams need to work together to create secure applications
DevOps is helping organizations develop and deploy software faster. DevOps is a software development approach to integrate and streamline the development and operations process using an agile or agile fluency model, which aims to improve transparency and teamwork and deliver low defects, high productivity, and alignment with business objectives. DevOps began to coalesce in the late aughts, popularized by the book, The Pheonix Project.
One potential downside of DevOps is that the fast pace it promotes can lead to an increase in mistakes and less secure code. Attackers can capitalize on errors and vulnerabilities to gain access to digital assets. The solution is to "shift left" or move security protocols and practices upstream in the development pipeline. When security is part of the overall DevOps process, it's called DevSecOps.
IT security teams have a responsibility to understand the movement of applications and data throughout the different stages of development, testing, staging, and production. They also need to address any security weaknesses along the way.
Simultaneously, DevOps teams must recognize that security is not solely the responsibility of the IT security team and cannot be added as an afterthought to the Software Development Life Cycle (SDLC). Instead, they need to work together with IT security teams to ensure that security is integrated throughout the entire development process.
When done correctly, security and DevOps are mutually supportive, and they work together seamlessly.
Since creating better security is a collaborative effort between DevOps and security, I've created a list of some basic security principles as a starting point in discussing how teams can work together to create a more secure development pipeline. Admittedly, this is just a start. Feel free to add a comment with other terms and examples.
Let's start with some basics -- vulnerability, threat, exposure, risk, and countermeasures.
Vulnerability: A vulnerability is a flaw or weakness in a system that can be exploited by a threat source to breach its security. It can take many forms, including software, hardware, procedural, or human weaknesses. Examples of vulnerabilities include services running on a server, applications with exploitable logic errors, operating systems that have not been patched, wireless access points without proper security measures, open ports on a firewall, inadequate physical security, and poor password management practices. Essentially, a vulnerability is any aspect of a system that creates an opportunity for unauthorized access, theft, or damage to occur.
Threat and Threat Agent: A threat is a potential risk that can arise from a vulnerability, and a threat agent is someone or something that attempts to exploit the weakness for their gain. A threat usually refers to any possible harm or danger arising from exploiting a vulnerability. When a specific vulnerability is identified and targeted for exploitation, the entity that carries out the attack is called a threat agent or threat actor.
Exposure: Exposure refers to the act of being vulnerable or at risk of suffering losses. When an organization has a vulnerability, it becomes exposed to the possibility of damage. To reduce this potential risk, controls or countermeasures are put in place. In other words, a vulnerability is a weakness that creates a possible exposure, which is then addressed by implementing measures to mitigate the associated risk.
Risk: In simple terms, a risk is the possibility of a threat exploiting a weakness in a system and the potential consequences that could result. Risk is a concept that ties together the likelihood of a threat source exploiting a vulnerability with the corresponding impact on a business. As an example, if a developer exposes system credentials in a build tool, that increases the ultimate risk of system compromise. Risk connects the vulnerability, threat, likelihood of exploitation, and resulting business impact into one unified idea.
Countermeasure: A countermeasure, control, or safeguard is a mechanism that is implemented to reduce potential risk. It can take the form of a software configuration, hardware device, or procedure that eliminates a vulnerability or reduces the likelihood of a threat agent being able to exploit a vulnerability. Essentially, a countermeasure is a tool that helps to minimize the potential impact of risk by either eliminating or reducing the exposure that creates the risk in the first place.
Vulnerability Scanning: Vulnerability scanning is a security technique used to identify weaknesses within an application that could potentially be exploited by hackers. To minimize risks, it is best practice for developers to scan their code changes for issues such as coding bugs, unpatched vulnerabilities, misconfigurations, and unprotected secrets. By identifying and addressing these vulnerabilities during development, the remediation process is more efficient, and the creation of new technical debt can be avoided. This approach is often called "shifting left," as it identifies and addresses vulnerabilities earlier in the development process.
False Positives: Vulnerability scanning may flag a potential security flaw, but it can also result in false positives. These false positives can vary in significance, as what is deemed concerning by one enterprise may be considered acceptable by another due to different risk acceptance thresholds. In addition, false positives can arise when vulnerability scanners lack proper calibration or acuity.
Role-Based Access Controls: (RBAC) is a means of regulating access to applications and resources based on predefined roles. Each person is assigned a specific role, which in turn dictates their level of access. RBAC is a critical component of common controls and is essential for ensuring compliance with most regulatory requirements. Furthermore, RBAC plays a vital role in implementing a zero trust framework. Effective management of RBAC can significantly enhance the security of your software supply chain.
Vulnerability Management: Vulnerability management provides developers, project leaders, and security teams comprehensive situational awareness by continuously monitoring the application lifecycle from development to deployment and production. This visibility is crucial for identifying security risks and addressing them in compliance with security and regulatory policies. Furthermore, it enables security teams to increase efficiency and minimize risks. This approach is similar to the use of Value Stream Management in DevOps.
Zero Trust: Zero trust is a security approach that restricts access to applications and data to only authenticated and authorized users and devices. In cloud-native environments, this means safeguarding access not only for people but also for machines, such as APIs. Zero trust operates under the assumption that hackers will find their way into networks and applications, and as such, it requires a thorough protection strategy against lateral movement and privilege escalations.
It is essential for DevOps teams to understand that the responsibility of ensuring security cannot be solely placed on the IT security team, and it should not be treated as an afterthought in the development process. Instead, development should collaborate with the IT security team to ensure that security is incorporated throughout the entire SDLC.
Like other aspects of technology, cybersecurity has its own set of unique nomenclature. Helping an organization stay secure means a commitment to continuous learning to keep abreast of a constantly changing landscape.