Top Tips for Navigating the Murky Waters of DevSecOps
November 18, 2020
DevOps is a must have for most, if not all companies, across all sectors. More than just a set of practices for combining software development and IT operations, DevOps is now the bedrock for systems development. Companies depend on this discipline to provide continuous delivery of high software quality. In fact, a recent Gartner study stated that “by 2021, DevSecOps practices will be embedded in 60% of rapid development teams, as opposed to 20% in 2019.”
Yet, integrating security into DevOps – in the hopes of achieving effective DevSecOps – faces an uphill struggle underscored by the need to change mindsets, leverage new technologies and modify processes to implement and optimize this security practice. According to the same Gartner study, “Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the Sec in DevSecOps transparent.”
Despite these challenges, organizations can take proactive steps towards navigating the murky waters associated with securing their DevOps environments. We believe, Gartner aptly points out, the key is to integrate security and compliance testing into DevSecOps, but this has to be done effectively. One key to this effort is ensuring developers stay within their continuous integration or continuous deployment toolchain environments.
Successful integrations into DevSecOps also means that scans for known vulnerabilities and misconfigurations in all open-source and third-party components take place on a continuing basis, and the InfoSec teams focus on those developers with the highest severity and confidence. Perhaps most importantly, Gartner states that DevOps and InfoSec groups must be “open to using new types of security tools and approaches to minimize friction for developers in order to replace traditional static and dynamic testing.”
Putting the Security in DevSecOps
Adding new tools in your arsenal that drive DevOps security, particularly for DevOps in the cloud, can be a game-changer to achieving true DevSecOps. The right solutions mitigate the effects of complexity and noise, from false alarms to the resource drain of manually checking logs.
This is particularly true in clouds used for application development or DevOps purposes where often access is limited, and only one person has the ability to turn instances on and off. Then that one individual is solely responsible for ensuring that cloud resources are used optimally. To efficiently manage cloud resources and reduce unnecessary clutter and costs, companies need to pay attention to the right data since DevOps relies a lot on monitoring, and the feedback that ensures apps are running well.
Companies also need to monitor things such as whether cloud instances are properly sized. If the cloud continues to run when it is not being actively used, this can be a sign of rogue resources that may be unnecessary but still costing the company. In fact, over 40% of cloud workloads are non-production, such as in example test, development and QA environments. And these environments don’t need to run 24/7— despite often doing so, thereby creating more complexity.
Lacework is able to eliminate the complexity and drive of DevSecOps by empowering InfoSec teams with the ability to place containers with similar behaviors into a single, logical cluster – called a Polygraph – each with a baseline of expected characteristics and behaviors. The Polygraph is Lacework’s foundation for securing containers, where a deep temporal baseline is built from collecting high fidelity machine, processes and user interactions over a period of time.
Clustering containers based on behavior dramatically simplifies the visualization of a containerized cloud in a Lacework Polygraph by representing dozens or even hundreds of similar containers as a single item. This means new containers or configuration changes do not generate alerts as long as behaviors stay within the expected baseline.
As a result, Lacework’s security platform creates multiple types of polygraphs based on different behavioral categories.
- The communication polygraph baseline tracks communication patterns between different container clusters.
- The launch polygraph baseline watches the launch characteristics of all clusters,
- The privilege change polygraph baseline contains data about all user privilege changes within the containers.
- The user activity polygraph baselines user behavior over time.
With Polygraph, DevOps and IT security teams can detect anomalies, generate appropriate alerts and leverage a tool to investigate and triage any issues across AWS, Azure and GCP platforms.