January 10, 2019

Five Best Practices to Achieving a Secure DevOps Model

The first article in our two-part series introduced the concept of a “whole brain” approach to achieving secure DevOps. This article continues the discussion by taking a closer look at the five best practices every organization should implement to achieve a secure DevOps model. Designing a "whole brain" approach to SecDevOps is challenging, but not impossible.

In our previous blog article, “Why a Whole Brain Approach to Secure DevOps is Critical,” we explained why a “whole brain” approach is critical to achieving a secure DevOps model. We examined the right-brain versus left-brain analogy — noting that the DevOps role and responsibilities are driven by the need to be creative and innovative when building applications designed to drive the business forward.

On the other hand, InfoSec teams are analytical and prefer to adhere to carefully managed processes with the goal of safeguarding the organization’s infrastructure and data. In the end, both teams’ objectives are good for the company, so they must be empowered to do what they do best. Yet there also needs to be a way forward to achieve SecDevOps.

Related: Download our white paper on the subject, “How to Secure DevOps Across Any Environment.”

Designing a Whole Brain Approach to SecDevOps is Challenging but Not Impossible 

The need to integrate information security and application development is undeniable. Yet, it is naive to think that a change as major as this will occur with just a series of meetings or a handful of management touch points. In this article, we’ll look at five specific best practices successful  DevOps teams are using to address the need for data security while maintaining rapid application development.

  • Ensure that open source code is secure.

A key component of verifying the composition of an application comes down to controlling what source code libraries can be used when building it.

Leveraging open source code is great for speed and flexibility, but it may not always be well-tested or created with security in mind. For example, adding nginx to the application is great, as its function set is already well-proven in the industry, and it’s as simple as connecting it in with other functions that make a working application. However, you want to be very sure that it’s a sanctioned version – not the latest unverified version found on GitHub.

  • Plan for security throughout the application lifecycle.

This means securing the application as built, as deployed, and throughout its life. Securing code from vulnerabilities includes anything from a set of processes completed by the security team to tying in software routines that run within the application.

  • Know and control what connects to the application as well as what it connects to, especially in the development phase.

Governing application access and what connects to it is first and foremost about applying policy. This covers the types and levels of access that are allowed by authentication. Ideally, this is provided within the application or in conjunction with third-party directories. It is also possible that it can be delivered by multi-factor authentication applications, allowing verified humans access to an application.  

Governing application-level connection determines what in the network should be allowed to send network data to the application in the first place. Often known as micro-segmentation, it can be done at the underlying host level, or out in the network.

  • Protect the data – inside and outside – the application.

Securing the application alone isn’t enough, you also need to account for the data it produces, as well as the data it accesses. Securing the application and its output protects you from threats that may have infiltrated the network or underlying systems, including storage and backup systems.

Another dimension is properly encrypting the data output in motion, such as east-west traffic, as well as data at rest, according to specified policies. Similarly, the application itself may need access to protected data and should only access that data under proper conditions specified by a policy.

Related: For even more information, read our blog article on “Five Tips for DevOps Application Security.”

  • Eliminate the human factor.

Consider the example of a modern factory. As with any proper factory, automation is critical to ensure the proper execution of these steps in the most effective and efficient manner. Ironically, this is also the answer to creating harmony between application developers and InfoSec teams.

These best practices are about making it easier for developers to add security functions into the applications as they are built and allowing security teams to come in as the application goes live and to set the proper configurations according to the organization’s policies.

CSPi’s solutions help today’s organizations to:

  • secure and protect their most critical data, such as PII,
  • enhance network security to make traditional security tools more effective, by providing a full intelligence on network traffic, including east-west,
  • easily and cost-effectively achieve a secure DevOps environment,
  • give developers and InfoSec teams an automated and plug and play approach to application and data security,
  • and finally, automatically verify and notify of data breaches, while they are ongoing to mitigate or disrupt the attack.

If you would like to learn more about CSPi’s approach to achieving a Secure DevOps model, check out our white paper on Secure DevOps best practices, “How to Secure DevOps Across Any Environment.”

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.

Tags: secdevops, cybersecurity, data protection