Unveiling the Six Pillars of DevSecOps with CSA's Comprehensive Guide

The widespread adoption of cloud computing presents an unprecedented security challenge. Organizations are confronted daily with headlines of breaches, compromises, and stolen sensitive data. These issues can arise from the effects of insecure applications, misconfiguration, poor infrastructure architecture, and lack of education and training.

With Digital Transformation firmly underway, software has rapidly risen as one of the top causes of business risk and exploitation. As a result of the rapid increase in the volume and pace of application development and delivery, the number and complexity of attacks on applications have also multiplied. The shortage of personnel with appropriate and adequate security skills and resources has become more acute than ever.

We are all aware of DevOps approach, where development and operations teams work closely together, which helps them work better and faster, especially in cloud computing. Because DevOps is becoming more popular, we should think about how it affects security and use its methods to manage security better.

With more and more devices and computing power, along with trends like DevOps, Microservices, and Open Source software, companies are deploying things faster. But this speed makes it harder to find and fix security problems quickly, which makes the overall security risk go up.

Putting security directly into DevOps substantially improves outcomes by integrating existing security into development and operational processes through modern integrated security paradigms, such as DevSecOps. For example, organizations that implement DevSecOps find that modern microservices-based applications have much better security outcomes. In addition, when security is built into a software development lifecycle, organizations find that even in the initial days of development, security-related performance can be controlled.

Cloud Security Alliance (CSA) has defined SIX focus areas that provide a holistic framework that brings together traditionally separated operations, like development, infrastructure operations, and information security, into a united team. This helps in creating secure software through structured processes.

Let's dive into each DevSecOps pillar that can be leveraged and help companies grow.

Pillar 1: Collective Responsibility

Everyone shares responsibility for the organization's security. While the CISO takes the lead on information security, each individual has a role to play and needs to understand how they contribute to the organization's security. Edge users and developers aren't merely aware of security; they're the organization's frontline defenders.

Pillar 2: Collaboration and Integration

There's a significant gap in skills and resources across Development, Operations, and Security in the software field. Without collaboration across the organization to implement security measures, success will be limited. Security relies on collaboration, not confrontation.

It's crucial to have a culture that values security awareness and teamwork, encouraging all team members to report any potential issues. Human error is often the main cause of security incidents, so it's important to keep that in mind and prioritize collaboration and awareness. Leadership, product, project, developers, security professionals, and operations teams work together seamlessly to ensure business continuity, and IT security, and to create and deploy secure software.

Pillar 3: Pragmatic Implementation

Organizations have many options for adding security to their software at different stages. Because every software project is unique, there's no one-size-fits-all solution for adding security. Sometimes, organizations end up buying tools that are hard to set up and use, and they don't always give useful information about security risks.

To choose the right security tools, organizations need to look at their entire software process, their security needs, and what they want in the future. They should choose tools that can easily work together with other systems.

A "Digital Security and Privacy Model" that focuses on building safety, privacy, and trust into software development can help. This model brings together everyone involved in making software—developers, operations teams, and security teams—to build security into the software from the beginning.

Pillar 4: Bridging Compliance and Development

Risk-related requirements are difficult to translate into security requirements that can be easily measured over time. While security teams create requirements to support their risk-based methodology, compliance requirements are poorly translated to DevOps and product requirements. Conversely, it is not easy to obtain evidence that security requirements have been met even if technical controls are implemented.

The key to addressing this gap between compliance and development is to identify applicable controls, translate them to appropriate software measures, and identify inflection points within the software lifecycle where these controls can be automated and measured to improve the quality of risk mitigation and therefore compliance.

Tooling is often where value is realized in applying security controls and measures. Tooling can help introduce security checks, scans, and management of data and be automated with triggers at the deployment pipeline — these tools can be proprietary or open source.

The key considerations are:

• Embracing an “as-Code” (Compliance As Code, Policy As Code) model
• Embracing DevSecOps approaches to testing
• Tracking open-source risks
• Guardrails
• Patterns and templates

Pillar 5: Automation

Without automated quality checks, manually written code can lead to software that performs poorly and is insecure, often requiring rework. Moreover, manual testing, especially when not done at the right time, decreases the likelihood of identifying vulnerabilities before deployment. When deployment and patching are done manually, there's a risk of releasing insecure software into production.

Automating security practices is crucial for making processes more efficient. It reduces manual tasks, making processes faster and reducing the need for rework. Enhancing software quality involves improving the thoroughness, timeliness, and frequency of testing and feedback. Processes that can be automated should be, while others should be automated as much as possible or considered for removal. While automated security checks may introduce new issues like build delays or failures, these can usually be resolved through workflow enhancements or semi-automated methods.

Pillar 6: Measure, Monitor, Report and Action

You can’t manage what you can’t measure

During the monitoring phase, security tools are employed to gather and evaluate crucial data regarding the application's usage. This helps in identifying trends and pinpointing areas of concern. Monitoring covers various aspects including the underlying hardware resources, network communication, applications/microservices, containers, interfaces, both normal and unusual endpoint activities, as well as analysis of security event logs.

In a DevSecOps workflow, among the most vital metrics to track are the frequency of deployments, the time taken to patch vulnerabilities, the portion of code automatically tested, and the number of automated tests per application. It's crucial to measure, monitor, report, and act upon these results both during software development and after delivery. This ongoing process is essential for the success of DevSecOps.

References

[1] NIST DevSecOps

[2] Defending Continuous Integration/Continuous Delivery (CI/CD) Environments

[3] DevSecOps Guide by GSA

I appreciate you reading The Security Chef.

Thanks for reading The Security Chef! Subscribe for free to receive new posts and support my work.