DevSec... What?

Despite the amount of information addressing digital transformation, far from what is imagined, the movement is still an ongoing process around the world. Gartner defines it as

"anything from IT modernization (for example, cloud computing), digital optimization and the invention of new digital business models".

Its practical effects for IT teams include, among other things, increased automation and accelerated deliveries related to software development.

Even though it is possible to find references to the term DevOps since 2009, nowadays teams that work with technology development still have some difficulty in understanding and implementing such practices in their work routine.

We are working on projects related to the theme since 2017 and I have noticed a growing interest in the subject, that's why I decided to address it here, dealing with concepts associated with DevOps, its main challenges in the implementation within the application development pipeline and its requirements as a solution to protect privileged secrets and credentials.

The question isn’t about whether a company should implement DevOps or not, but when.

Gartner in a published research indicates that the businesses that are expected to grow most in the Covid-19 pandemic period are: Cloud, IT Services, Development and Security. In other words, the digital transformation also accelerates the changes in functions and practices of the Operations and Development teams, to improve the software delivery process.

Leaders in their respective corporations have been forced to make decisions and adopt new models to ensure the continuity of their business. According to Barracuda research, 53% of the IT leaders interviewed will accelerate their plans to migrate 100% of their infrastructure to cloud models in the coming months.

With the requirement for faster implementations of different technologies, applications and functionalities, organizations are adopting agile development strategies. And one of them is DevOps.

According to Gartner, the goal of DevOps is to bring down the walls between the Development and IT Operations teams, increasing the speed of delivery and the innovation of capabilities enabled by IT. The DevOps methodology seeks to integrate the processes between these two teams through the extensive use of automation, ensuring high quality software, with less work time.

Agile practices such as DevOps are employed by companies that have changed their earlier models based on designs for products. With Operations and Applications leaders working together, companies increase the chances of delivering value more quickly to their customers.

It is estimated that by 2022, 25% of all software development projects will follow the DevOps methodology from conception to production, against less than 10% today.

Agile development without security, is equal paid fines over data leakage

The pipeline used by DevOps consists of several processes, ranging from code development (with source code management tools) and tests, to the deployment and monitoring of developed applications. Each of these processes involves the use of specific tools. However, as the adoption of DevOps technologies grows, the security and risk management teams have also seen the need to ensure the security of applications throughout the pipeline.

To avoid future problems such as the leakage of personal data, the tools must be able to provide visibility, orchestration, integration, governance and management of the DevOps flow, offering traceability of everything that has been done. In this context, the Development team has assumed responsibility for numerous security processes in its workflow.

And it was from this movement that DevOps evolved into what we have agreed to call DevSecOps.

To activate this practice in companies, security teams must adapt their internal programs to the speed required by DevOps. Thus, by incorporating the Security aspect in your coding process, any vulnerabilities will be discovered and remedied before the launch of the application, which allows, for example, the reduction of the surface of cyber attacks by malicious agents, including third party open source software.

By 2022, according to Gatner , 90% of software development projects will follow DevSecOps practices , against 40% in 2019.

It’s cheaper to prevent and adopt, than to fix and pay.

Development teams work with a huge range of applications to build, test, implement and execute in their environments. Some of these tools, such as Chef, Kubernetes and Jenkins, store an expressive amount of credentials (passwords or secrets) that are used in the execution of projects, playbooks and scripts managed by these tools to access other tools, services and / or platforms.

Often these credentials have a high level of privilege, and are not associated with a specific user. These are called service accounts (for example, admins).

Some of the attack vectors that can be exploited by malicious attackers in DevOps environments are:

• Code repositories - code injection, code theft and / or display of credentials;    
• CI / CD tools - exposed credentials and / or malware injection;
• Automation Scripts - injection of code, malware and / or embedded access keys;
• Containerization - injection of malware and / or exposed credentials;
• Cloud Administration Consoles - resource hijacking and / or customer data exposure;
• Developer Workstation - exposed Git credentials and / or exposed access keys.

Considering the development pipeline, some aspects must be addressed when adopting Privileged Access Management solutions for the adequate management of secret:

1. The DevOps environment is very heterogeneous, and it is difficult to have visibility of the secrets spread across the pipeline - the solution must be able to discover, inventory and manage all the secrets in the environment. In this way, it is possible to achieve greater Security maturity in DevOps environments;
2. Creation of access keys in Cloud tools - the solution must act as an IAM broker, to manage the access keys generated in CSPs and thus reduce security risks and improve governance;
3. Sensitive information spread over CI / CD tools - it must be possible to scan the pipeline to detect sensitive information and allow the rotation of secrets, without the need to refactor the code. In this way, it is possible to reduce security risks, in addition to improper access to sensitive data.

Development environments are full of privileged credentials that are used by people and machines, in automation processes and in scripts. In these environments, security and access policies must be constantly checked to ensure the implementation of DevSecOps.

There is no single recipe for implementing a DevSecOps methodology, but experience has shown me that the first step in achieving company adoption is to unite the leaders of the Development, Operations and Security teams with the common goal of managing privileged accounts in the software’s development pipeline.

If you want to know more about the practices that I have followed on this topic in my day to day, please leave your question below so that more people can follow our DevSecTalk.