IMPLEMENTING CONTINUOUS SECURITY
Embedding Security into DevOps
Moving to the DevSecOps culture
Hello, my sweet readers! Here’s another sweet blog for you! This time it's covering my recent talk at DevFest19 Chennai by GDG Chennai on Sept 21, 2019.
In case, you were present and I lost you during the talk or if you missed my talk yesterday, then do read this blog. Slides available at the end! 😄
Every story about DevFest Chennai is on Twitter and you can find them here. This year Chennai went big on DevFest!
It was also my first DevFest and I was very much excited like everyone else. There were other amazing talks as well. Every speaker had killer content for all of us. Kudos to GDG Chennai, GDG Cloud Chennai and WTM Chennai who brewed out a perfect fest.
And since I was the last speaker of the day, I got a chance to listen to all talks before mine, so tweeting was fair easier! Also, I was able to adjust my slides before the talk. Guess what? It is a Developer Conference and I was talking security to them. So, I was sharing a mutual feeling of Security Operations and Developer Operations! And moreover, my excitement was higher than my heartbeat that I was jumping around on the stage. And I realized that after Madhuragj and Juhi Singh told me after the talk.
In front of me was an eager audience of 500+ and I was up in the stage and my PC didn’t do well with the projector. I quickly had to get my audience to me rather than letting them wait for me! I understood my audience that they are inclined towards learning new stuff and that gave me a good head start. We interacted over talking about the time factor between us and the development process and also the reason why DevOps practice came to existence. Most of them seem to be familiar with DevOps and that was good for me.
My talk was on, “Embedding Security into DevOps — Implementing Continuous Security”
So, I’ll break down every part of my presentation. Since it was a lightning talk of 10 minutes I had to be very quick. I was sure I lost some of the crowd. I did my best to make sure everyone understood what I spoke. Here I will make it extra detailed so you can read this over to get even more clarity.
I began with a story, so everyone understands the reason why I am here to talk. And here too let me begin the same way.
Based on this story, we could understand that security is an important aspect no matter whatsoever we make. In this context let us compare what security means to a pipeline in DevOps culture.
“The most powerful tool we have as developers is automation.” — Scott Hanselman
And hence we use automation to solve our common problems. But the real question was, “Are we doing it the right way?” Well to understand that we need to look at what is DevOps and how it works.
A practice where Developers and Operations team coming together to deploy code to production faster with automated processes.
Without automation, there is no DevOps and without DevOps, there is no automation!
In DevOps, we follow Continuous Integration where developers working on various units, push them to one common repository which is tested against various test cases. If the build passes, it is deployed. So every iteration of the successful build is pushed to the client and it is called Continuous Deployment. The client gets to visualize and give feedbacks in realtime which is called Continuous Feedback.
Everywhere we have a question of why. And here too a “Why” question is valid. Well, the best way I could describe was with a picture. And that picture means a lot to me and many others in the crowd. Maybe I could say this quote just helped me keep the talk interesting! Thanks to Tony! :D
There is no time to build, test, deploy in a traditional manner with age-old processes. Of course, those processes are great but they’re not great anymore! And hence we do things on the go. We tend to perform process on production.
And now I had to bring down the DevOps hype among the audience to talk about DevSecOps. It was easy for me! XD
When everything is working well and suddenly you face this situation where things might break your pipeline, there’s nothing you can do to revert the damage.
And that is why the world came up with DevSecOps. This is how Security is embedded in DevOps.
Here we focus on implementing security to processes as early as possible. Because applying security at the end is a time killer. Now that we heard of DevSecOps, I had to let everyone know that DevOps is not bad too.
If then why are we talking about DevSecOps? It is because it was done wrong and it has come up. It’s not worth complaining and time to make the shift.
Reasons to adopt DevSecOps
There are a few notable reasons to adopt DevSecOps.
- Promotes traditional security engagement in an active process.
- Advocates security to be built into the product, rather than being applied to a finished product.
- You should have it. In fact, it is a better culture.
If you ever wanted to make your pipeline better then this is it. Make the best use of it. And the way to do it? It is as simple as how “Nike” says (Just do it.)
Before explaining some ways to perform better security process, there is another interesting thing called Threat Modelling.
It is a fundamental process that helps in asset discovery and threat identification which is helpful, simple, easy and does not consume much time. Also, this can be done without the help of a security expert. The steps are as simple and in six steps. (Read more on threat modeling here…)
A threat model gives you an idea of what your assets are and what threats are associated with them.
Five DevSecOps steps
When there is a process, there is a procedure to be followed. Here I covered five steps to effective DevSecOps.
- Negative Unit Tests
Unit tests are great. They find errors quickly and good way to clear nasty bugs. But if those tests are biased, you might be good to pack the modules without testing them. Including negative test cases are a great way of understanding if the unit behaves well or not. Writing more negative test cases are effective. But it does not mean you should leave on positive test cases.
- Verify Third-party components
All of your code might be clean, error-free and it passed all tests. But what if your external components like APIs have vulnerabilities in them. It is always a safe practice to verify any third-party components being used.
- SAST (Static Analysis Security Testing)
Also simply called, Static Analysis. This is one of the ways to verify if code holds errors including typos and other errors.
- DAST (Dynamic Analysis Security Testing)
In the dynamic analysis, we check for behavior. We execute the code and check for its behavior.
- Security headers, TLS/SSL (Transport Layer Security/Secure Socket Layer), Encryption
These measures are generally something which is done finally and we take care of these in modules which have got communication processing. Implementing these means the first line of defense for the data the application will handle.
Talk is cheap, show me the TOOLS
It was at this moment when all the focus was on the screen. Well, it is definitely worth knowing these brilliant tools. And with this, I concluded my talk saying that whatever maybe the tools or process we follow. The end motive is to implement Continuous Security which gives new hope to the CI/CD pipeline!
With that, the talk came to an end. The best part: I completed exactly in 10 minutes! :D And since the talk ended, my blog also ends here! Got some GDG goodies, presented by Nivetha Maran, Lead, WTM Chennai!
Thanks to GDG Chennai, GDG Cloud Chennai, WTM Chennai, Abhishek, Varun, Somu, Nivetha, Manikadan and all other amazing team for providing me this chance to talk!
Congrats if you reached here! Thank you so much for reading my blog! Hit the clap button till you are happy!
Link to my slides here!