Recent discussions we have been having with security teams has been revolving around how internal security can work better with the development function within their organisation. As organisations move towards an environment that enables fast innovation, security is having to think of more creative ways to keep up. With a few clicks DevOps can build and release multiple iterations of an application on new infrastructure a couple times a day. This means security teams have had to find a way to ensure applications are secure without compromising the speed at which improvements can be made. We have been working with these teams to help ensure that security is built into the process and SecOps and DevOps realise how much they have in common.
Companies who had been using a linear waterfall development model had a clear point at which the security testing could be conducted before a product needed to go live. This meant the team could engage a firm to do a penetration test, the report would be delivered, multiple issues raised, issues fixed and a new version deployed. The time between stages can sometimes stretch into the months. Even an Agile environment has more opportunities for security checks at multiple times during the lifecycle. In a DevOps environment to be effective sometimes security checks must happen at multiple times a day.
Fitting security into the DevOps environment presents challenges. Ask a DevOps team what their priorities are and at the top of the list will most likely be function, features, performance, usability, uptime and then somewhere on the list but most likely not at the top would be security. To fit in with this model security checks should be happening multiple times per day and must be driven by the developers. The only way to address these challenges is to automate security wherever possible and make it well enough integrated that it becomes just another process.
Calling out developer’s security mistakes (sometimes even in public presentations) is never going to work. To respond to these challenges security practitioners will require the right tools, the right processes and great communication. Dealing with geographically dispersed teams working on different projects and all under pressure to deliver can mean communicating the security message effectively is difficult. Engaging an information security specialist with experience delivering security to DevOps can take pressure off developers and ensure that security objectives are met without compromising the speed at which development can take place.
These are some areas that an experienced consultancy will be able to assist with:
- Security architecture review
- Pair programming with developers for knowledge transfer and help with implementation details
- Writing abuse cases for unwanted application behaviour which impacts security
- Write supporting automated tests for abuse cases
- On-the-spot threat modelling to understand business impact of issues identified and help developers and management prioritise fixes alongside an existing backlog of non-security activities
- Code for integration with existing security tools
- Code security metrics
- Continuous integration and continuous delivery pipelines for security testing
- Security issues triage – help to verify false positives and ensure these are picked up during the process
- Manual Code Review
- Infrastructure as code design and implementation security reviews
- Build Pipeline environment security audits
- Identification and handling of sensitive information in source code, including credentials and hardcoded secrets
- Support for handling of personally identifiable information in code and logs
- Integration with existing issue tracking and notification systems
- Working with tools
To learn how our SecOps team can help your DevOps team please get in touch.
P: +61 439 016 160