wardell henley, profile picture
Uploaded bywardell henley
PDF, PPTX149 views

5 principles-securing-devops-veracode-whitepaper

The document discusses five principles for securing DevOps: 1) Automate security testing by integrating it into CI/CD pipelines. 2) Integrate security testing early to "fail quickly" and avoid issues late in the process. 3) Avoid false positives from security tests to prevent blocking critical updates. 4) Build security expertise among developers by training them in secure coding practices. 5) Maintain visibility into application security for deployed software to enable quick responses to attacks.

Embed presentation

Download as PDF, PPTX
FIVE PRINCIPLES FOR Securing DevOps VERACODE EBOOK 5
FIVE PRINCIPLES FOR SECURING DEVOPS 2 INTRODUCTION In fact, there are sound business reasons for executives to embrace these changes. DevOps, a new organizational and cultural way of organizing development and IT operations work, and its sister technologies, continuous integration and continuous deployment (CI/CD), have transformed the way we create software. And there is widespread evidence that DevOps practices, despite their substantial organizational, cultural and technological requirements, are spreading rapidly. A recent study shows that firms with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. Forsgren, N., J. Humble (2016). “DevOps: Profiles in ITSM Performance and Contributing Factors.” In the Proceedings of the Western Decision Sciences Institute (WDSI) 2016, Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906
3FIVE PRINCIPLES FOR SECURING DEVOPS THIS PAPER Provides background on the evolution of DevOps. Proposes five principles that solutions seeking to integrate application security into DevOps and CI/CD must address. But reaping these gains requires rethinking application security. To secure DevOps, it is critical to understand how DevOps and CI/CD are different from Agile development and how this difference changes the requirements for application security solutions. It is also important to recognize that, as CI/CD in particular continue to evolve, so do the requirements for application security. Further, specific disciplines of continuous delivery, including test and deployment automation, trunk-based development, continuous integration and version control of app and system configuration, all lead directly to higher levels of IT performance and, therefore, to higher levels of organization performance.
4FIVE PRINCIPLES FOR SECURING DEVOPS DevOps Evolution and Revolution Many Agile software projects have succeeded in improving their quality practices only to face the reality of failed deployments when unanticipated operational requirements resulted in software that did not meet the needs of availability, scalability or manageability. By integrating activities and organizations like operations earlier into the development process, DevOps seeks to expose the development team to these potentially surprising or disruptive requirements early so that the team can plan for and address them ahead of time. The process of bringing other teams, in particular operations, into the development process began as a revolt against heavyweight and highly manual operations practices that were seen as slowing development down. DevOps seeks to enable software development teams to more consistently hit or exceed their goals for on-time delivery of high-quality software that meets the needs of the business. It does this by removing organizational barriers between Agile development teams and non-Agile supporting processes.
IT OPERATION TEAMS “Keep everything stable” 5FIVE PRINCIPLES FOR SECURING DEVOPS DevOps thought leader Gene Kim has stated that DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly” (development) and “keep everything stable” (IT operations) by bringing the teams together and giving them shared responsibility for software delivery and operation. This organizational alignment supports all the other activities of DevOps. FOR INSTANCE, DEVOPS: 1. Embraces an existing software development trend, continuous integration, and its transformation into continuous deployment. 2. Implements insights from traditional manufacturing quality control processes to the software development process. DEVELOPMENT TEAMS “Make changes quickly” COMMON GOAL In this way, DevOps is a natural evolution of Agile software development and its culture of “retrospectives,” “do better” and clearing blockages to getting work done. But the specific manifestations of this cultural and organizational change have been revolutionary for how software is built, beginning with how — and how frequently — it is delivered to market.
6FIVE PRINCIPLES FOR SECURING DEVOPS If DevOps includes cultural, organizational and technological components, continuous integration and continuous delivery, or CI/CD, is the technological foundation on which DevOps builds its practices. CI/CD seeks to automate much of the routine work of transforming code changes into working software, including delivering tested code into production. From its roots in build servers like Hudson, Jenkins and Microsoft Team Foundation Server, CI/CD has become a collection of technologies and practices that supports the integrated mission of releasing new code changes while keeping things stable. Technologies that allow DevOps organizations to move faster include: AUTOMATED BUILD AND VERIFICATION OF CODE CHANGES UNIT TESTS CONTAINERIZATION TRUNK-BASED DEVELOPMENT FEATURE TOGGLES MICROSERVICES OPERATIONAL MONITORING
7FIVE PRINCIPLES FOR SECURING DEVOPS “Shifting Security Left” Drives New Requirements for AppSec Like operations, security’s goals of minimizing enterprise risk sometimes seem to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps. Automate Security In Integrate to “Fail Quickly” No False Alarms Build Security Champions Keep Operational Visibility 1. 2. 3. 4. 5. Considering the goals of CI/CD helps us identify the following five principles for securing DevOps:
8FIVE PRINCIPLES FOR SECURING DEVOPS Automated invocation of security testing requires a comprehensive API to initiate, control and return results from software testing, and should include productized support for common tools of development teams. 1 PRINCIPLE ONE Automate Security In API
9FIVE PRINCIPLES FOR SECURING DEVOPS Integrating security into the CI/CD pipeline ensures that security testing happens with every release, and avoids the problem of leaving application security entirely in the hands of the developer or as a step late in the process. There are several ways to address this requirement, for instance: • Scan small units of code so that results can be returned within the latency tolerance of the existing process in the pipeline. • Allow the pipeline to kick off tests and feed the results into the backlog of the development team outside of the pipeline, essentially conducting the full application test in parallel. Regardless of how you integrate static testing into the pipeline, full application testing is still necessary: security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification. In addition, you don’t need to stop at integrating with the pipeline. The best way to catch software defects quickly is to introduce tests that run as close to the developer as possible — for example, with quick-running tests triggered on check-in or even as pre-check-in gates. You can also allow developers to quickly test from the IDE. 2 PRINCIPLE TWO Integrate to “Fail Quickly”
10FIVE PRINCIPLES FOR SECURING DEVOPS As the industry has learned, a technology that reports too many false positives will be ignored and will fail to be adopted. This is doubly true in CI/CD, where a failed security test may stop a critical business function from being delivered to production — or a critical patch from being released. That may be tolerable if the security issue is real, but is completely intolerable if the finding is a false positive. Most developers are not trained in the practices of secure coding. But doing so gives the security team a force multiplier and reduces culture conflict by embedding application security knowledge directly in the team. 3 4 PRINCIPLE THREE No False Alarms PRINCIPLE FOUR Build Security Champions
11FIVE PRINCIPLES FOR SECURING DEVOPS Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support “closed loop” feedback from production in the event of a security incident. There are several scenarios in which operational visibility into application security is particularly important. TO ENABLE THE TEAM TO DEPLOY FASTER. The business may choose to trade full application security testing for faster deployment and, therefore, rely on the ability to test after deployment and quickly update if an issue is found. TO CATCH EXCEPTIONS. There will be cases when an application gets to production without going through the automated pipeline, or when a misconfiguration results in a vulnerable application. These cases make discovery and testing of web applications in production critical. TO DETECT AND PROTECT AGAINST AN ATTACK. Operations needs visibility into potential security issues in deployed software so that they can drive a quick response. 5 PRINCIPLE FIVE Keep Operational Visibility 1 2 3
12FIVE PRINCIPLES FOR SECURING DEVOPS Having the Conversation Questions to Ask When Integrating Security Into DevOps Many organizations are at the earliest stages of considering how to integrate security into their DevOps practices. The following questions will help you think about how to design an integrated solution for securing the CI/CD pipeline: Have you rearchitected your applications for microservices, or is that work still in progress? Which of your applications will pass through a CI/CD pipeline? Microservice- based? Monoliths? In what languages? What tolerance do you have for “false alarms” (FPs) from an application security capability that is integrated into your DevOps practices? Are you practicing trunk- based development, or do you still practice release and feature branching? How do you plan to monitor your operational applications for security attacks? How do you plan to bring security expertise into the DevOps team? 1 4 5 6 2 3
CONCLUSION 13 The process and technical requirements for integrating security with DevOps practices and CI/CD technology are challenging for any application security technology to meet. By embracing DevOps principles and looking beyond the pipeline to organizational and production capabilities, you greatly increase the chances of successfully integrating security with DevOps. FIVE PRINCIPLES FOR SECURING DEVOPS DEV OPS
Veracode’s cloud-based service and systematic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 20+ of Forbes’ 100 Most Valuable Brands. LEARN MORE AT WWW.VERACODE.COM, ON THE VERACODE BLOG, AND ON TWITTER.

More Related Content

PDF
Devops
bySpark Tech Systems
 
PDF
The best way to design secure software products
byLabSharegroup
 
PDF
The State of DevOps Tools: A Primer
byDevOps.com
 
PDF
Why is dev ops essential for fintech development
bynimbleappgenie
 
PDF
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
byIndium Software
 
PDF
DevOps – what is it? Why? Is it real? How to do it?
bySailaja Tennati
 
PPTX
DevOps explained
byJérôme Kehrli
 
PDF
DevOps and the Case for ROI to Executives
byIBM UrbanCode Products
 
Devops
bySpark Tech Systems
 
The best way to design secure software products
byLabSharegroup
 
The State of DevOps Tools: A Primer
byDevOps.com
 
Why is dev ops essential for fintech development
bynimbleappgenie
 
ROLE OF iSAFE/iMobi IN SEAMLESS INTEGRATION OF THE DEVOPS ENVIRONMENT
byIndium Software
 
DevOps – what is it? Why? Is it real? How to do it?
bySailaja Tennati
 
DevOps explained
byJérôme Kehrli
 
DevOps and the Case for ROI to Executives
byIBM UrbanCode Products
 

What's hot

PPTX
DevOps Hits Adolescence – what’s next?
byXebiaLabs
 
PPTX
SDLC & DevOps Transformation with Agile
byAbdel Moneim Emad
 
PPTX
DevOps Introduction
byRobert Sell
 
PDF
Mainframe DevOps: A Zowe CLI-enabled Roadmap
byDevOps.com
 
PDF
XebiaLabs Enterprise DevOps
byBob Sokol
 
PDF
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
bySlideTeam
 
PPTX
Building a Bridge Between CI/CD and ITSM
byXebiaLabs
 
PDF
More Than A Buzzword: How DevOps Can Impact Your Business
byILM Professional Services
 
PDF
DevOps for the Discouraged
byJames Wickett
 
PDF
Developing a Testing Strategy for DevOps Success
byDevOps.com
 
PPTX
Accelerate DevOps Transformation with App Migration to the Cloud
byXebiaLabs
 
PPTX
Why DevOps Matters To The CIO
bybenjaminwootton
 
PDF
Introduction to DevOps
byOCTO Technology
 
PPT
DevOps101 (version 2)
bySanjeev Sharma
 
PDF
Java deployments in an enterprise environment whitepaper - xebialabs
byXebiaLabs
 
PPTX
More than Technology - The Culture of DevOps
byBob Sokol
 
PPTX
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
byPuppet
 
PDF
Engineering DevOps to meet Business Goals
byMarc Hornbeek
 
PPT
IBM Innovate 2013 Session: DevOps 101
bySanjeev Sharma
 
PDF
DevOps 2020: How Enterprise Strategy has Matured
byEnterprise Management Associates
 
DevOps Hits Adolescence – what’s next?
byXebiaLabs
 
SDLC & DevOps Transformation with Agile
byAbdel Moneim Emad
 
DevOps Introduction
byRobert Sell
 
Mainframe DevOps: A Zowe CLI-enabled Roadmap
byDevOps.com
 
XebiaLabs Enterprise DevOps
byBob Sokol
 
Devops Strategy Roadmap Lifecycle Ppt Powerpoint Presentation Slides Complete...
bySlideTeam
 
Building a Bridge Between CI/CD and ITSM
byXebiaLabs
 
More Than A Buzzword: How DevOps Can Impact Your Business
byILM Professional Services
 
DevOps for the Discouraged
byJames Wickett
 
Developing a Testing Strategy for DevOps Success
byDevOps.com
 
Accelerate DevOps Transformation with App Migration to the Cloud
byXebiaLabs
 
Why DevOps Matters To The CIO
bybenjaminwootton
 
Introduction to DevOps
byOCTO Technology
 
DevOps101 (version 2)
bySanjeev Sharma
 
Java deployments in an enterprise environment whitepaper - xebialabs
byXebiaLabs
 
More than Technology - The Culture of DevOps
byBob Sokol
 
Demystifying DevOps for Ops - Including Findings from the 2015 State of DevOp...
byPuppet
 
Engineering DevOps to meet Business Goals
byMarc Hornbeek
 
IBM Innovate 2013 Session: DevOps 101
bySanjeev Sharma
 
DevOps 2020: How Enterprise Strategy has Matured
byEnterprise Management Associates
 

Similar to 5 principles-securing-devops-veracode-whitepaper

PDF
Your Resolution for 2018: Five Principles For Securing DevOps
byDevOps.com
 
PPTX
Back To Basics
bykamalikamj
 
PPTX
Secure DevOPS Implementation Guidance
byTej Luthra
 
PPTX
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
PDF
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
byDevOps.com
 
PDF
DevOps Implementation Roadmap
bySofiaCarter4
 
PDF
DevSecOps: Integrating Security into DevOps
byDomain News Tech
 
PPTX
Devops
bypenetration Tester
 
PDF
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
byJohn David
 
PDF
You build it - Cyber Chicago Keynote
byJohn Willis
 
PDF
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
PDF
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
PPTX
ASDC_Unit notes reva University wing yel-4-2.pptx
byHanithCg
 
PDF
An introduction to DevOps
byAndrea Tino
 
PDF
Continuous delivery best practices and essential tools
byDBmaestro - Database DevOps
 
PDF
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
PPTX
AICT_presentation.pptx
byAbdullahMalik486262
 
PPTX
DevOps 101 - IBM Impact 2014
bySanjeev Sharma
 
PDF
Understanding the Role of DevOps in Modern Software Development.pdf
bySuccessiveDigital
 
PPTX
What is devsecops and what is the characteristics of it
byamalsalah25
 
Your Resolution for 2018: Five Principles For Securing DevOps
byDevOps.com
 
Back To Basics
bykamalikamj
 
Secure DevOPS Implementation Guidance
byTej Luthra
 
You Build It, You Secure It: Introduction to DevSecOps
bySumo Logic
 
Embrace DevSecOps and Enjoy a Significant Competitive Advantage!
byDevOps.com
 
DevOps Implementation Roadmap
bySofiaCarter4
 
DevSecOps: Integrating Security into DevOps
byDomain News Tech
 
Devops
bypenetration Tester
 
An Ultimate 10 Point DevOps Checklist for your Organization.pdf
byJohn David
 
You build it - Cyber Chicago Keynote
byJohn Willis
 
From DevOps to DevSecOps: Evolution of Secure Software Development
byScalaCode
 
DevSecOps Automation for Product Security
byITTSTAR Consulting, LLC.
 
ASDC_Unit notes reva University wing yel-4-2.pptx
byHanithCg
 
An introduction to DevOps
byAndrea Tino
 
Continuous delivery best practices and essential tools
byDBmaestro - Database DevOps
 
The Rise of DevSecOps in CI_CD Workflows.pdf
byyour techdigest
 
AICT_presentation.pptx
byAbdullahMalik486262
 
DevOps 101 - IBM Impact 2014
bySanjeev Sharma
 
Understanding the Role of DevOps in Modern Software Development.pdf
bySuccessiveDigital
 
What is devsecops and what is the characteristics of it
byamalsalah25
 

More from wardell henley

PDF
RP_Patch_Management_S508C.pdf
bywardell henley
 
PDF
mita_overview.pdf
bywardell henley
 
PDF
Landscape_Medicaid_Healthcare_Information_Technology.pdf
bywardell henley
 
PDF
Facets Overview and Navigation User Guide.pdf
bywardell henley
 
PDF
self_inspect_handbook_nisp.pdf
bywardell henley
 
PDF
Itil a guide to cab meetings pdf
bywardell henley
 
PDF
Mn bfdsprivacy
bywardell henley
 
PDF
9 150928065812-lva1-app6892 gmp
bywardell henley
 
PDF
It security cert_508
bywardell henley
 
PDF
15466 mba technology_white_paper
bywardell henley
 
PDF
Best practices for_implementing_security_awareness_training
bywardell henley
 
PDF
213946 dmarc-architecture-identifier-alignmen
bywardell henley
 
PPT
Soa security2
bywardell henley
 
PPT
Cissp chapter-05ppt178
bywardell henley
 
PDF
Enterprise%20 security%20architecture%20 %20business%20driven%20security
bywardell henley
 
PPT
3 securityarchitectureandmodels-120331064706-phpapp01
bywardell henley
 
PDF
Splunk 7.2.3-security-hardeningstandards
bywardell henley
 
PDF
Ms app 1.5.1-msinfra-bestpracticesguide
bywardell henley
 
PDF
IBM enterprise Content Management
bywardell henley
 
PDF
oracle EBS
bywardell henley
 
RP_Patch_Management_S508C.pdf
bywardell henley
 
mita_overview.pdf
bywardell henley
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
bywardell henley
 
Facets Overview and Navigation User Guide.pdf
bywardell henley
 
self_inspect_handbook_nisp.pdf
bywardell henley
 
Itil a guide to cab meetings pdf
bywardell henley
 
Mn bfdsprivacy
bywardell henley
 
9 150928065812-lva1-app6892 gmp
bywardell henley
 
It security cert_508
bywardell henley
 
15466 mba technology_white_paper
bywardell henley
 
Best practices for_implementing_security_awareness_training
bywardell henley
 
213946 dmarc-architecture-identifier-alignmen
bywardell henley
 
Soa security2
bywardell henley
 
Cissp chapter-05ppt178
bywardell henley
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
bywardell henley
 
3 securityarchitectureandmodels-120331064706-phpapp01
bywardell henley
 
Splunk 7.2.3-security-hardeningstandards
bywardell henley
 
Ms app 1.5.1-msinfra-bestpracticesguide
bywardell henley
 
IBM enterprise Content Management
bywardell henley
 
oracle EBS
bywardell henley
 

Recently uploaded

PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PPTX
Redcentric Data Centres: vision, mission and values
byRedcentric
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Build an AI/ML-driven image archive processing workflow: Image archive, analy...
bywesley chun
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Redcentric Data Centres: vision, mission and values
byRedcentric
 

5 principles-securing-devops-veracode-whitepaper

  • 1.
  • 2.
    FIVE PRINCIPLES FORSECURING DEVOPS 2 INTRODUCTION In fact, there are sound business reasons for executives to embrace these changes. DevOps, a new organizational and cultural way of organizing development and IT operations work, and its sister technologies, continuous integration and continuous deployment (CI/CD), have transformed the way we create software. And there is widespread evidence that DevOps practices, despite their substantial organizational, cultural and technological requirements, are spreading rapidly. A recent study shows that firms with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. Forsgren, N., J. Humble (2016). “DevOps: Profiles in ITSM Performance and Contributing Factors.” In the Proceedings of the Western Decision Sciences Institute (WDSI) 2016, Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906
  • 3.
    3FIVE PRINCIPLES FORSECURING DEVOPS THIS PAPER Provides background on the evolution of DevOps. Proposes five principles that solutions seeking to integrate application security into DevOps and CI/CD must address. But reaping these gains requires rethinking application security. To secure DevOps, it is critical to understand how DevOps and CI/CD are different from Agile development and how this difference changes the requirements for application security solutions. It is also important to recognize that, as CI/CD in particular continue to evolve, so do the requirements for application security. Further, specific disciplines of continuous delivery, including test and deployment automation, trunk-based development, continuous integration and version control of app and system configuration, all lead directly to higher levels of IT performance and, therefore, to higher levels of organization performance.
  • 4.
    4FIVE PRINCIPLES FORSECURING DEVOPS DevOps Evolution and Revolution Many Agile software projects have succeeded in improving their quality practices only to face the reality of failed deployments when unanticipated operational requirements resulted in software that did not meet the needs of availability, scalability or manageability. By integrating activities and organizations like operations earlier into the development process, DevOps seeks to expose the development team to these potentially surprising or disruptive requirements early so that the team can plan for and address them ahead of time. The process of bringing other teams, in particular operations, into the development process began as a revolt against heavyweight and highly manual operations practices that were seen as slowing development down. DevOps seeks to enable software development teams to more consistently hit or exceed their goals for on-time delivery of high-quality software that meets the needs of the business. It does this by removing organizational barriers between Agile development teams and non-Agile supporting processes.
  • 5.
    IT OPERATION TEAMS “Keepeverything stable” 5FIVE PRINCIPLES FOR SECURING DEVOPS DevOps thought leader Gene Kim has stated that DevOps practices explicitly seek to align the potentially at-odds goals of “make changes quickly” (development) and “keep everything stable” (IT operations) by bringing the teams together and giving them shared responsibility for software delivery and operation. This organizational alignment supports all the other activities of DevOps. FOR INSTANCE, DEVOPS: 1. Embraces an existing software development trend, continuous integration, and its transformation into continuous deployment. 2. Implements insights from traditional manufacturing quality control processes to the software development process. DEVELOPMENT TEAMS “Make changes quickly” COMMON GOAL In this way, DevOps is a natural evolution of Agile software development and its culture of “retrospectives,” “do better” and clearing blockages to getting work done. But the specific manifestations of this cultural and organizational change have been revolutionary for how software is built, beginning with how — and how frequently — it is delivered to market.
  • 6.
    6FIVE PRINCIPLES FORSECURING DEVOPS If DevOps includes cultural, organizational and technological components, continuous integration and continuous delivery, or CI/CD, is the technological foundation on which DevOps builds its practices. CI/CD seeks to automate much of the routine work of transforming code changes into working software, including delivering tested code into production. From its roots in build servers like Hudson, Jenkins and Microsoft Team Foundation Server, CI/CD has become a collection of technologies and practices that supports the integrated mission of releasing new code changes while keeping things stable. Technologies that allow DevOps organizations to move faster include: AUTOMATED BUILD AND VERIFICATION OF CODE CHANGES UNIT TESTS CONTAINERIZATION TRUNK-BASED DEVELOPMENT FEATURE TOGGLES MICROSERVICES OPERATIONAL MONITORING
  • 7.
    7FIVE PRINCIPLES FORSECURING DEVOPS “Shifting Security Left” Drives New Requirements for AppSec Like operations, security’s goals of minimizing enterprise risk sometimes seem to be at odds with development’s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps. Automate Security In Integrate to “Fail Quickly” No False Alarms Build Security Champions Keep Operational Visibility 1. 2. 3. 4. 5. Considering the goals of CI/CD helps us identify the following five principles for securing DevOps:
  • 8.
    8FIVE PRINCIPLES FORSECURING DEVOPS Automated invocation of security testing requires a comprehensive API to initiate, control and return results from software testing, and should include productized support for common tools of development teams. 1 PRINCIPLE ONE Automate Security In API
  • 9.
    9FIVE PRINCIPLES FORSECURING DEVOPS Integrating security into the CI/CD pipeline ensures that security testing happens with every release, and avoids the problem of leaving application security entirely in the hands of the developer or as a step late in the process. There are several ways to address this requirement, for instance: • Scan small units of code so that results can be returned within the latency tolerance of the existing process in the pipeline. • Allow the pipeline to kick off tests and feed the results into the backlog of the development team outside of the pipeline, essentially conducting the full application test in parallel. Regardless of how you integrate static testing into the pipeline, full application testing is still necessary: security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification. In addition, you don’t need to stop at integrating with the pipeline. The best way to catch software defects quickly is to introduce tests that run as close to the developer as possible — for example, with quick-running tests triggered on check-in or even as pre-check-in gates. You can also allow developers to quickly test from the IDE. 2 PRINCIPLE TWO Integrate to “Fail Quickly”
  • 10.
    10FIVE PRINCIPLES FORSECURING DEVOPS As the industry has learned, a technology that reports too many false positives will be ignored and will fail to be adopted. This is doubly true in CI/CD, where a failed security test may stop a critical business function from being delivered to production — or a critical patch from being released. That may be tolerable if the security issue is real, but is completely intolerable if the finding is a false positive. Most developers are not trained in the practices of secure coding. But doing so gives the security team a force multiplier and reduces culture conflict by embedding application security knowledge directly in the team. 3 4 PRINCIPLE THREE No False Alarms PRINCIPLE FOUR Build Security Champions
  • 11.
    11FIVE PRINCIPLES FORSECURING DEVOPS Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support “closed loop” feedback from production in the event of a security incident. There are several scenarios in which operational visibility into application security is particularly important. TO ENABLE THE TEAM TO DEPLOY FASTER. The business may choose to trade full application security testing for faster deployment and, therefore, rely on the ability to test after deployment and quickly update if an issue is found. TO CATCH EXCEPTIONS. There will be cases when an application gets to production without going through the automated pipeline, or when a misconfiguration results in a vulnerable application. These cases make discovery and testing of web applications in production critical. TO DETECT AND PROTECT AGAINST AN ATTACK. Operations needs visibility into potential security issues in deployed software so that they can drive a quick response. 5 PRINCIPLE FIVE Keep Operational Visibility 1 2 3
  • 12.
    12FIVE PRINCIPLES FORSECURING DEVOPS Having the Conversation Questions to Ask When Integrating Security Into DevOps Many organizations are at the earliest stages of considering how to integrate security into their DevOps practices. The following questions will help you think about how to design an integrated solution for securing the CI/CD pipeline: Have you rearchitected your applications for microservices, or is that work still in progress? Which of your applications will pass through a CI/CD pipeline? Microservice- based? Monoliths? In what languages? What tolerance do you have for “false alarms” (FPs) from an application security capability that is integrated into your DevOps practices? Are you practicing trunk- based development, or do you still practice release and feature branching? How do you plan to monitor your operational applications for security attacks? How do you plan to bring security expertise into the DevOps team? 1 4 5 6 2 3
  • 13.
    CONCLUSION 13 The process andtechnical requirements for integrating security with DevOps practices and CI/CD technology are challenging for any application security technology to meet. By embracing DevOps principles and looking beyond the pipeline to organizational and production capabilities, you greatly increase the chances of successfully integrating security with DevOps. FIVE PRINCIPLES FOR SECURING DEVOPS DEV OPS
  • 14.
    Veracode’s cloud-based serviceand systematic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world’s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 20+ of Forbes’ 100 Most Valuable Brands. LEARN MORE AT WWW.VERACODE.COM, ON THE VERACODE BLOG, AND ON TWITTER.