DevSecOps in the Cloud: Creating Policy as Code Pipelines
This post was last updated on December 18th, 2019 at 10:42 am
Organizations are increasingly adopting a DevSecOps mindset to help them meet the demands of perilous cybersecurity threat landscape. What this means is that security is brought to the forefront of the software development process and incorporated into every phase of the code pipeline. By shifting security left can accelerate the overall security process and reduce the technical debt accrued in traditional, linear security models.
To implement DevSecOps, you need to establish a strong security policy, which will be clear and easily executable. Policy as code is the practice of writing code to help manage these policies, and much of this is centered on automation. Policy as code is typically expressed in a high-level language and stored in text files.
The following six tips can help you formulate your security policy to support a DevSecOps pipeline.
1. Plan and implement governance
You need to put in place a clear set of policies and procedures to manage the DevSecOps process. You also need to enable the creation of audit trails, which are necessary for compliance reporting. To ensure the transparency and traceability of the DevSecOps pipeline, you should put in place easy, one-click compliance reporting throughout the software development lifecycle (SDLC).
Another crucial step for DevSecOps planning is to clearly define the roles and responsibilities of your staff across teams. It is important to consider your security policy as a living organism that can grow and change over time, and respond to the insights gained through continuous monitoring of security events. When in doubt, you can refer to a DevSecOps security checklist.
2. Maintain a single source of truth
To enforce your policies and evaluate compliance, you need to keep your policy definition in a single repository. You can use a version control system like GitHub, and the policy definitions arranged in a uniform system will become the single source of truth for all teams involved in security. Metadata is useful for making your files intelligible and will make it easier to implement your policies.
3. Encourage collaboration on security
DevSecOps is dependent on development, operations and security teams having shared objectives. Activities are aligned to business priorities and are measured using uniform metrics. Make sure that your teams are all familiar with their responsibilities and provide a standardized production environment and common language for addressing security issues. This integrated framework will help secure both the application and the pipeline in a comprehensive and thorough manner.
4. Secure your code
Security as code is a central aspect of the DevSecOps approach. To improve the security of your applications and reduce security debt, you should use secure coding practices, incorporating them into your policy. These include the use of automated testing and security tools while building code, restricting access to the development environment, and threat modeling to identify vulnerable points in your code. The use of techniques such as containerization and cloud infrastructure automation can also facilitate security and compliance auditing.
5. Create a continuous feedback loop
Feedback allows developers and the machines they use to gain comprehensive insight into system vulnerabilities. It is also essential for informing policies and rule sets that keep security testing tools updates. For example, the threat intelligence collected can shape prioritization and process flow decisions.
Proactive monitoring provides actionable information, conveyed to security teams via dashboards and automated alerts. Continuous monitoring will help security analysts identify security issues before damage is done. Organizations should arm themselves with real-time, continuous feedback that will allow them to stay on top of the evolving security landscape.
6. Automate recurring tasks
Automation can help reinforce and elevate your security processes and is a core element of DevSecOps. Recurring tasks can be easily automated to save time, reduce human error and support an integrated workflow. You can automate tests, scans and operational controls to embed security into the development pipeline.
Operations engineering tasks can be performed automatically in secure containerized or infrastructure-as-code environments. This will be much quicker than human-driven processes and ensure that responses to detected intrusions are instant. You can engineer these response capabilities to automatically freeze nodes, redirect traffic and notify operators or relevant third parties.
Building security at the code level is a fundamental aspect of the DevSecOps approach, and there are numerous techniques and tools to help you achieve this. However, the security of your application and production environment is only as strong as your governance. For this reason, it is essential to design and implement clear security policies and provide the means to track compliance.
For a true DevSecOps pipeline, you also need to ensure that your organization as a whole adopts a DevSecOps culture and that your policies are flexible and responsive to evolving security threats. Creating and implementing your DevSecOps policy with an emphasis on secure code will allow your organization to achieve security throughout the development pipeline and after release, both for the application and for the production environment, and you will be able to oversee the process with good governance transparency measures.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.