WIXLIB

How to Navigate the Intersection ofDevOps and Security

“In a DevOps cultureall participants in thesoftware delivery lifecycle(not just development andoperations) align arounda shared goal: the rapiddelivery of stable, highquality software fromconcept to customer.”—Brian Dawson, CloudBees1

A brief history of Dev vs. OpsTraditionally, the software development process is split into two distinct phases and associated teams. Thedevelopment team writes and compiles code, then releases it to the IT operations team. The operations teammakes sure that the code runs and remains stable in production environments. A third group, IT security, tackles thejob of making sure that no security issues exist before the software is deployed. The security team typically worksclosely with the operations team.Each of these teams has different responsibilities, often with little communication between them. As developmentworks to meet customer demands and adapt to the competitive landscape by bringing new products and featuresto market quickly, operations provides a stable and secure production environment, where it can run and deployapplications safely, providing reliable service for customers.The functional responsibilities of development and operations often conflict with each other, creatingmisalignments between the two teams and leading to inefficiencies in pushing out new software: longer releasecycles, reduced-quality software, internal mistrust, botched releases, and frustrated customers. Enter DevOps.What is DevOps?DevOps is essentially an ideology. It combines cultural philosophies, technical practices, and tools to helpdevelopment and IT operations teams work collaboratively to first build, then test, and finally release software fasterand more reliably. Ultimately, the goal of DevOps is to enable organizations to serve their customers more effectivelyand increase their competitive edge.Some organizations merge development and operations into one DevOps team, staffed with engineers whocan work across the application life cycle, building out development, test, deployment, and operations skills.Quality assurance and security teams may also be integrated into the process and function throughout theapplication life cycle.DevOps advocates automating manual processes and using tools that help teams improve and operateapplications faster and more reliably. The effect is an organization with increased trust between groups, leading tofaster software releases and the ability to solve critical issues quickly and manage unplanned work effectively.“In the DevOps ideal, developers receive fast, constantfeedback on their work, which enables them to quickly andindependently implement, integrate, and validate their code,and have the code deployed into the production environment.”—The DevOps Handbook2 synopsys.com 1

DevOps principles: The 3 WaysThe Three Ways3 are the principles all DevOps patterns are derived from. They describe the philosophies framingthe processes, procedures, and practices of DevOps. Each way contributes to the entire concept of DevOps andincludes prescriptive steps to help teams achieve DevOps in their organization.The First WayThe First Way sends a rapid flow of work from development to operations, and on to delivery to the customer. Tosucceed, teams need to focus on four tasks: Make work visible. That is, find a way to visualize the work so you can see the problems and resolve them. Reduce both the batch sizes of the work (the requirements, code, and tests in each work item) and work intervals. Build quality into the process by preventing defects from being passed downstream. Keep optimizing for global goals.The Second WayThe Second Way generates a quick and constant feedback loop from right (operations) to left (development) atall stages. Teams boost feedback to avoid duplicating problems and enable more rapid detection and thereforerecovery, gaining the ability to learn and improve.The Third WayThe Third Way creates a collaborative, high-trust work environment that supports a disciplined approach to takingrisks and experimenting, thus facilitating organizational learning from both achievements and failures.1. FlowDev2. Feedback loopsOpsDev3. Experimentation and learningOpsDevOpsThe last step to achieving DevOps is integrating security, change management, and compliance controls into theday-to-day jobs of development and operations teams. Doing so makes security a part of every role in the softwaredevelopment life cycle, instead of limiting that responsibility to the security team. Building automatic securitycontrols into the DevOps processes and tools that development and operations teams already use can go a longway toward creating the fast, reciprocal flow of feedback necessary for a successful DevOps implementation. synopsys.com 2

“One of the top objections to implementing DevOpsprinciples and patterns has been, ‘Informationsecurity and compliance won’t let us.’ And yet,DevOps may be one of the best ways tobetter integrate information securityinto the daily work of everyone in thetechnology value stream.”—The DevOps Handbook4“Incorporating security earlier in the process creates shorter feedback loops and decreases complexity, allowingengineers to fix security or compliance issues faster and more easily.When it came to information security and compliance, we found that blockagesat the end of the project were much more expensive than at the beginning—andInfoSec blockages were among the worst.”—Justin Arbuckle, former chief architect at GE Capital 5So what is DevSecOps?Dr. Tapabrata Pal, director and platform engineering technical fellow at Capital One, described the process ofintegrating security into all stages of the software development life cycle (SDLC) as DevOpsSec. Today we call itDevSecOps or secure DevOps. The practice of DevSecOps requires cultural and practical changes, including these:Integrating security into defect tracking and postmortemsTrack security issues in the same work tracking systems that your development and operations teams alreadyuse to ensure security visibility and prioritization. The most common tool is Jira, Atlassian’s issue and projecttracking software. Then do a review after every security issue so you can prevent your team from repeatingthe same problems.Integrating security controls into shared source code repositories and servicesAll teams should share a source code repository containing security-approved libraries that fulfill specific securityobjectives. This repository can also contain packages and builds approved for use in development (such as secureversions of OpenSSL with correct configurations), in addition to toolchains, the deployment pipeline, and standards.Teams typically use source code management tools, such as Git (GitHub, GitLab), Bitbucket, and Mercurial, as wellas binary repositories, such as Artifactory and Nexus. synopsys.com 3

Integrating security into your deployment pipelineAutomate as many security tests as possible, as much as possible, to run alongside other automated tests in yourdeployment pipeline. Automate these tests at every major commit of code by development or operations, even atvery early stages. The goal is to provide short feedback loops so development and operations teams are notified ofany potential security issues in code commits. This allows teams to detect and correct security problems quickly asa part of daily work instead of waiting until the end of the SDLC, when fixes are often complex, time-consuming, andexpensive. The easiest way to achieve this step is using continuous integration tools, such as Jenkins, Travis, andTeamCity, and continuous delivery/deployment tools, including Jenkins, XebiaLabs, and GoCD.Ensuring the security of the applicationAs you automate your tests, generate tests to run continuously in your deployment pipeline, instead of performingunit or functional tests manually. This step is critical for the QA team, who will want to include static and dynamicanalysis (SAST and DAST), software composition analysis (SCA), interactive application security testing (IAST),container scanning, and more. Many of these testing processes can be part of a continuous integration (CI) orcontinuous delivery/deployment (CD) pipeline.“Only about half of CI/CD workflowimplementations include any applicationsecurity testing elements.”—451 Research 6Ensuring the security of the software supply chainUp to 90% of modern applications are constructed from open source components, making it a fundamental part ofthe software supply chain today. When using open source components and libraries, DevOps teams must considerthat applications inherit both the functionality of open source code and any security vulnerabilities it contains.Detecting known vulnerabilities in open source helps developers choose which components and versions to use.Integrating vulnerability checking during the CI process or within the binary repository or IDE helps ensure thesecurity of the software supply chain. synopsys.com 4

What tools do I need to implement DevSecOps?Covering custom codeStatic application security testingStatic application security testing (SAST) is a type of security testing that analyzesapplication source code, including byte code and binaries, for coding and designconditions that may indicate security vulnerabilities. SAST solutions analyze applicationsat the source code level—without executing code. SAST finds critical defects andsecurity weaknesses in code so they can be fixed before release. It’s essential tointegrate an automated SAST solution into the SDLC to continuously identify qualitydefects and potential security vulnerabilities as custom code is written. Superior toolsprovide actionable and accurate remediation guidance to enable developers to address security problemsearly in the SDLC.When selecting a static analysis tool, select one that provides deep, full path coverage, supports thousands ofdevelopers, and analyzes large projects exceeding 100 million lines of code. Look for a SAST tool that integrateswith your key development tools and CI/CD systems to enable application security testing at DevOps speed,helping your organization get to market faster with reduced cost and risk.Dynamic application security testingDynamic application security testing (DAST), sometimes called black box testing, isperformed on an application while it is running. Most DAST tools test only exposed HTTPand HTML interfaces for web-enabled applications.While DAST tools may be easier to run and use than SAST tools, they cannot pinpointspecific weaknesses in application code, leaving the task of finding and fixing thevulnerable code to the developer. Unlike SAST, DAST can be used only on a runningapplication, limiting its use to later phases in the SDLC: testing, staging, and production.Interactive application security testingInteractive application security testing (IAST) analyzes running application behavior duringthe testing phase, working in the background during manual or automated functionalor security tests. Unlike DAST, IAST solutions use code instrumentation to observeapplication behavior and dataflow, identifying vulnerabilities and providing developers withthe information needed to pinpoint, prioritize, and remediate them. These capabilities makeIAST a good solution for CI/CD environments, where speed and automation are a priority.Covering third-party and open source codeSoftware composition analysisLike SAST, software composition analysis (SCA) statically analyzes source code orbinaries. SCA tools identify open source components in applications and any associatedsecurity vulnerabilities that have been reported against them. More often than not,SAST tools alone cannot identify these open source vulnerabilities, so it is important toincorporate SCA for a secure DevOps pipeline. synopsys.com 5