Embedding Security into Zero Trust DevOps: A new philosophy emerges
Embedding Security into Zero Trust DevOps: A new philosophy emerges
DevSecOps is a developing philosophy that aims to embed security into rapid software development practices like Agile and DevOps. By shifting security left and integrating it earlier into the development lifecycle, DevSecOps helps teams build more secure software faster. This essay explores how DevSecOps engineers balance velocity and security through cultural change, automation, and collaboration. Examples demonstrate how implementing zero trust, shifting testing left, and enabling self-service can enhance security without sacrificing speed. Ultimately, DevSecOps requires compromise between velocity and security, but emphasizes that these goals are not mutually exclusive. With the right tools, strategies, and culture, developers and security engineers can collaborate to rapidly deliver secure systems.
Analysis
What tradeoffs are required between velocity and security in collaborative DevOps environments? Significant tradeoffs exist between speed of development and building secure systems. Traditional software development often viewed security as a separate concern, leading to friction between developers focused on rapid delivery and security teams enforcing compliance at the end. DevOps brought these silos together, but balancing its velocity with good security remains challenging.?
DevSecOps emerged as a philosophy to embed security earlier into rapid development practices. Instead of bolting on security post-development, DevSecOps shifts security left to integrate it throughout the lifecycle. This enables detecting issues quicker and reducing rework down the line. However, balancing speed and security requires compromise on both sides.
On the development side, teams must invest more time upfront on practices like threat modeling, static analysis, and unit testing. While this feels slower initially, it prevents larger delays fixing vulnerabilities late in production. Security teams likewise need to align their approaches with iterative development. Rigid compliance rules and lengthy audits hamper velocity, so security engineering needs to enable self-service and automation rather than act as a roadblock.?
With willingness to adjust on both sides, collaborative DevOps environments can achieve improved security without sacrificing speed. Three key strategies help make this tradeoff manageable: instituting zero trust models, shifting testing left, and enabling developer self-service.
Historical Examples
The Target Breach
In 2013, attackers accessed Target's systems by compromising an HVAC vendor's credentials. Moving laterally, they stole 40 million credit cards from Point of Sale systems. The breach resulted from poor segmentation and lack of zero trust principles. Too many systems carried excessive privileges, enabling the lateral movement once perimeter defenses were penetrated.
A DevSecOps approach would have instituted least privilege and zero trust segmentation. Limiting the vendor's access and integrating runtime security checks into the transaction systems could have contained the breach. While slightly slower initially, the improved security posture would have prevented extensive financial and reputational damage.
The Equifax Breach?
Equifax suffered a major breach in 2017 when attackers exploited an Apache Struts vulnerability. The unpatched vulnerability gave access to 143 million financial records. The security team had actually warned about upgrading Struts, but faced resistance from developers trying to deliver features quickly.?
Better collaboration and testing left could have prevented this incident. Integration between security and development is needed to balance velocity and security. Automated scanning of dependencies and instrumentation of builds to fail on vulnerabilities would have caught the Struts issue. Despite slightly slower builds, this would improve velocity long-term by preventing costly breaches.
The Capital One Breach
In 2019, an attacker exploited a misconfigured AWS WAF to access Capital One systems. The misconfiguration demonstrates how speed can compromise security when processes are not in place. Infrastructure as code automated rapid cloud deployment, but without accompanying automation to validate configurations.
Adding policy as code and security testing to the CI/CD pipeline could have caught the issue pre-production. Although incremental builds would be slightly slower, automated security checks ultimately improve velocity. Self-service remediation tools also empower developers to fix issues quickly without depending on security teams.
领英推è
Handling These Events
As a DevSecOps engineer, I would take the following approaches to handle events like these:
Zero Trust and Segmentation: Implement zero trust models with least privilege access and network segmentation. Use tools like OAuth, mTLS, and microsegmentation to limit lateral movement. Balance security domain separation with incremental velocity impacts.
Shift Testing Left: Build security unit tests and integrate scanning tools into CI/CD pipelines. Fail builds on test failures. Promote developer security ownership. Make fixing issues a shared priority, not just delivering features.
Enable Self-Service: Provide self-service tools for infrastructure as code security validation, remediation, and compliance workflow. Empower developers to be self-sufficient securing cloud environments. Implement guardrails as code.
Automate Auditing: Operationalize and embed audits into system using tools like Chef InSpec. Don't wait for quarterly audits. Continuously validate adherence to security controls. Fix audit failures like any other bug.??
Allow Listing: Only permit defined good behavior, blocking everything else. Use allow listing to enforce zero trust at code, network, and infrastructure levels. Prefer blocking over detection. Start with high assurance and tighten by exception.?
Cultural Change: Promote collaborative culture between Dev and Sec. Develop shared goals and incentives. Avoid throwing issues over the wall. Make security everyone's responsibility through training, mentorship, and leading by example.
Conclusion
DevSecOps enables rapid and secure development, but requires compromise between velocity and security. By shifting security left through automation, collaboration, and self-service, developers and security engineers can balance these priorities. Key enablers like zero trust, testing pipelines, and allow listing help teams deliver faster without sacrificing protection. With the right tools, culture, and mindset, DevSecOps allows enterprises to build securely at speed.?
#DevSecOps #ZeroTrust #Velocity #Security #DevOps #Agile #ShiftLeft #Culture #Automation #Testing #Compliance # Collaboration #CD/CD #SelfService #Guardrails #Auditing #AllowListing #Microsegmentation #LeastPrivilege #ThreatModeling?
References
1. Devsecops pdf. Available at: https://qqooa.hakima-hassine.fr/6r/kzt7qblub
2. Cyber Security and Cyber Resiliency: It's an Evolution. Available at: https://events.afcea.org/Augusta22/Custom/Handout/Speaker0_Session9694_1.pdf
3. Zero Trust Is More Than Just Identity & Access...What's Missing. Available at: https://resources.sei.cmu.edu/asset_files/Video/2022_500_001_887529.pdf
4. Lori MacVittie - F5 Networks. Available at: https://www.f5.com/authors/lori-macvittie
5. Smartest path to DevSecOps transformation | Coalfire.com. Available at: https://www.coalfire.com/documents/reports/smartest-path-devsecops-transformation
6. Security of Zero Trust Networks in Cloud Computing: A Comparative Review. Available at: https://www.researchgate.net/publication/363386313_Security_of_Zero_Trust_Networks_in_Cloud_Computing_A_Comparative_Review
References from Perplexity.ai