DevOps principles and practices include integrated and multidisciplinary teams, working together to enable continuous software delivery.

To develop and release faster, developers constantly add open source components to their projects. Approximately 60 to 90 percent of code today is actually open source. This has the potential to introduce the following: 1. Security vulnerabilities and 2. License compliance issues – into the organization. Relying on developer reports and manual processes only provides a partial picture. Hence, security and compliance are an essential part of the DevOps process.

The development lifecycle is a repetitive process that starts with a developer writing code, a build being triggered, the software package deployed to a production environment and monitored for issues identified in the runtime. The process continues as new features are developed and bugs fixed. Security should be introduced at every stage.

There is an existing ratio of 200:5:1 developers to operations to security people. This means that any security issue identified by a security scanning tool needs to be reviewed by a very small security team that may even lack the technical knowledge. This challenge can be reduced by shifting left to the developer and operations teams, making them also responsible for security and compliance, and moving security earlier in the SDLC process. Implementing the identification of security issues earlier in the CI/CD pipeline, as well as automating security and compliance policies in the Software Development Lifecycle (SDLC), rather than using manual processes, is crucial. Moreover, organizations that leave the Sec out of DevOps, may face security and compliance issues that are closer to their release, resulting in additional costs for remediating such issues.

DevSecOps Culture

A DevSecOps culture is one in which everyone takes responsibility and ownership of security. Blending in with the best practices of DevOps, each development team should assign a security champion to lead the security and compliance processes and actions in the team to maximize the security of the software that is delivered.

The nature of DevOps is to automate as much as possible to prevent human errors and create automated gates to prevent having unstable code getting into production. In essence, code with a security vulnerability or a non compliant license is unstable.

DevSecOps Principles

Introducing and implementing DevSecOps to an organization requires cultural and operational changes. Including: security training, tools and resources. Here are some useful concepts when making the shift in your organizational culture.

  • Security champions

    These team members are responsible for the overall security aspects, making sure they are implemented in the DevOps pipeline, and exposing them to other members of the team. For example, A development team security champion will lead the implementation and usage in the team of:

    • Static Application Security Testing (SAST), to discover security flaws in the source code
    • Software Composition Analysis (SCA) for visibility into open source dependencies.

    A QA team security champion will implement:

    • Dynamic Application Security Testing (DAST) as part of automated QA cycles.

  • Security as an integral part of the process

    DevSecOps practices require security as part of the SLDC, rather than just before software is released to production. This means that developers integrate security scanning into the build process, as well as their IDE environment to identify vulnerable dependencies.

  • Easily accessible data

    Developers outnumber security professionals by 200:1. Using dedicated IDE plugins, can bring security data directly into the tools developers are already using, making it simple to adopt. Introduce best practices for developers on how they can avoid security issues as they write their code.

JFrog Xray puts security at the developer’s fingertips by providing security vulnerability information about dependencies used in the code.

  • Automated Governance

    In addition to manual checks, such as code reviews, security checkpoints can be distributed at each phase of the DevOps pipeline to determine if your software can continue to the next phase. A governing system can automatically enforce company policies, and be able to take action accordingly without intervention:

    • Notification of security or compliance violations (Email, Instant Messages, Jira, etc.)
    • Blocking of downloads
    • Failing of builds that depend on vulnerable components or fail to comply with license policies
    • Prevention of the deployment of vulnerable release bundles

JFrog Xray can be integrated with any CI server to fail builds if security vulnerabilities or open source license compliance violations are found in any build artifacts or dependencies.

DevSecOps can be automated into your pipeline, creating an abstract overlay of security.

DevSecOps Tools

There are several families of security and compliance tools to address different aspects of the SDLC. This includes: Static Code Analysis (SAST), Software Composition Analysis (SCA), and different approaches for testing the code for vulnerabilities (DAST and IAST). In addition there are tools that are aimed to monitor and protect your binaries in production environments against attacks that exploit your code or your environment vulnerabilities. Ideally teams should aim to adopt all of these areas for complete SDLC security.

Static Application Security Testing (SAST) tools can help you in identifying vulnerabilities in your own proprietary developed code. Developers should be aware of and use SAST tools as an automated part of their development process. This will help to detect and remediate potential vulnerabilities early on in the DevOps cycle. There are many examples of static analysis tools, including SonarQube and Veracode.

Software Composition Analysis (SCA) encompasses managing and monitoring license compliance and security vulnerabilities in the open source components your code depends on. Knowing what OSS components are being used and what their dependencies are of primary concern. After identifying the open source components, SCA tools such as JFrog Xray, will provide information on licenses and whether there are any known security vulnerabilities associated with these components. Advanced SCA tools offer policy enforcement capabilities, preventing the download of binaries, failing builds, and notifying other systems.

Dynamic and Interactive Application Security Testing (DAST and IAST) tools test the running application’s exposed interfaces, looking for vulnerabilities and flaws. While DAST looks at the application as a black box, IAST uses instrumentation that combines dynamic application security testing (DAST) and static analysis security testing (SAST) techniques to increase the accuracy of application security testing. Examples of IAST tools include Synopsys, Checkmarx and Contrast Security.

Container Runtime Security tools monitor the containers in their runtime environment. Such tools provide different abilities including – firewalling on different levels, identifying anomalies based on behavioral analytics and more. Examples of runtime protection tools include Twistlock (Prisma Cloud Native Security), AquaSec, NeuVector and Rezilion.

Best Practices for DevSecOps

  • Train development teams to develop secure code
  • Track security issues the same as software issues
  • Security as code, Security Built In
  • Integrate security controls in the software pipeline
  • Automate security test in the build process
  • Detect known vulnerabilities during the pipeline
  • Monitor security in production for known states
  • Inject failure to ensure security is hardened
    Source: The Divine and Felonious Nature of Cyber Security – John Willis @botchagalupe

    The DevOps Handbook, Gene Kim, Patrick Debois, John Willis, Jez Humble

Get Started

Try out JFrog DevSecOps Tools now!
You can run a free trial on-prem or in the cloud.

Start For Free