您的 IP 地址: 未知 · 您当前的状态: 受保护未受保护的未知
博客 How-To

DevSecOps – 3 keys to a secure workflow

Netflix, Etsy, and PayPal have all integrated security into the DevOps process to speed up innovation and enable continuous deployment of cloud software. But what is DevSecOps and how do you begin to integrate it? We’ll show you why a DevSecOps approach is needed now more than ever.

Zen Bahar

Zen Bahar

Apr 23, 2020 · 4 min read

DevSecOps – 3 keys to a secure workflow

What is DevSecOps?

DevSecOps is a workplace philosophy that fosters a collaborative spirit between developer and security teams to design apps that prioritize security.

To understand why a DevSecOps culture is essential in modern business, let's take a look at how security was managed in the past.

DevSecOps, “security as code”

Before the cloud, technology was created in static environments with linear workflows. With developer and IT security teams as separate entities, developers would build the product with innovation in mind and then pass it to security teams to build a security perimeter around it. But this created serious problems along the way.

If security risks were detected, developers would often have to withdraw code that had already been deployed, leaving problems to fester until after the software was already in production. Needless to say, this costs organizations massive amounts of time and money.

Security shouldn't beat around the bush

Securing the perimeter may have been an excellent defense against internet-borne threats and hackers, but it did nothing for damage at the application level.

SQL injections, cross-site scripting, command injections, layer 7 DDoS attacks, HTTP floods, parameter tampering, and Slowloris attacks are just a few examples how perimeter security is bypassed and flaws exploited within the code. If this sounds a bit too far-fetched, just remember that giants like Sony, Equifax, and Amazon were all breached due to simple design flaws.

In today's cloud environments, perimeter security would be highly inefficient and stifle the cloud's rapid deployment speed. As such, security could no longer be developed in isolation and the barriers between teams were hindering innovation rather than helping it. Security had to be re-imagined.

Why DevSecOps

DevSecOps integrates security from the start, boosting agility and response time. By treating security as an integral component rather than a cloak or afterthought, risk analysis can be carried out at every phase of the design process, detecting flaws and vulnerabilities earlier in the cycle.

DevSecOps is not a specific tool or process, it's a culture — a movement that has led to the creation of tools and techniques to improve security throughout all phases of development. Cloud-native technologies like VPNs and file encryption services steer away from static security policies, leading to quicker application development and proving that security is no roadblock to creativity.

Integrating DevSecOps tools

Managing risk while driving innovation and streamlining workflows isn't as hard as it sounds. All it takes is applying the right tools to the highest risk areas.

Three key principles

1. Manage access meticulously

It’s essential to balance data security with user access, especially knowing how easy it is to underestimate attacks through network access.

  • Identification, authentication, and authorization all need to be managed to protect sensitive data. You must also manage any policies that apply to them. For example, you may wish to prohibit actions for specific resources, such as only allowing access to certain networks while connected to the company VPN. It’s also crucial to revoke access when employees leave.
  • Security measures must be built into your network infrastructure, like requiring digital certificates to authenticate BYOD users and server certificates to protect against rogues.
  • Rogue access points that have slipped past IT can open backdoors for attackers to trick users into handing over login credentials through phishing attacks. Here's an example: an employee plugs in their own unprotected router with an ethernet cable to access the company network, allowing a criminal to piggyback on their connection.

2. Encrypt data in transit

All systems involved in data migration need to be encrypted end-to-end. If not, an attacker can easily intercept your traffic and make off with information that could jeopardize your entire project, leading to more downtime. Using a VPN is one way of ensuring your traffic stays encrypted while in transit.

3. Watch for sensitive changes

You cannot anticipate risk in your blind spot. Maintaining visibility prevents breaches from causing too much damage. Twitter, for example, created the Brakeman tool, which quickly scans submitted code for security flaws and instantly notifies the developers with recommendations on how to improve it – an excellent example of how security can be baked into the development process.

DevSecOps tools: integrating encryption for secure workflows

A single data breach can send a company's reputation down the drain. Stakeholders may want to know how often breaches occur in your sector, how much you are aware of potential breach scenarios, and how you intend to deal with them. VPNs and file encryption tools are one way of securing project communications in all phases of production.

Visibility: protecting software from unauthorized use

Unencrypted data in transit leaves the door wide open for hackers to sneak into your project. A VPN can reduce opportunities for attack by encrypting data sent between software containers and the server. For example, you could deploy an item to the container securely by running it through a VPN to anonymize the container’s conversation with the server.

On the other hand, file encryption tools like NordLocker are great for companies that deal with confidential information, such as the financial, legal, or medical records of clients. The best file encryption tools give users the encryption keys to their own data — this means that the information is safe even in the event of a breach, whether stored in the cloud or on your hard drive.

Localization testing: verifying code to speed up compliance

An often overlooked function of a VPN is the ability to change geographical location. Let's say a developer wanted to verify a piece of localization code (which modifies the language, culture, or legal requirements for other markets). They can use a VPN to connect to foreign servers to quickly verify whether the code works before sending it to quality assurance teams.

Final thoughts

DevSecOps seeks to unite teams and blend their expertise to drive the technology of tomorrow. The DevSecOps approach can streamline workflows by creating more security checkpoints throughout the build process and integrating the right tools at those checkpoints to automate security. We can speed up security and compliance with secure password managers while restricting access and ensuring confidentiality with a VPN.