GlobalSign Blog

9 Best Practices to Improve DevOps Security

9 Best Practices to Improve DevOps Security

If we go back a few years, most enterprises began with integration, development, and testing automation in the early stages of the product lifecycle. Eventually, things changed and the agile deliver team began iterative development and monitoring practices for improving the quality of code. 

Nowadays, Software Development and IT Operations teams cooperate with one another, bridging the gap between development and operations (i.e. DevOps) in an attempt to fasten market delivery with less human interaction. This is why DevOps and automation are crucial for business operations, offering numerous benefits. 

These include more productive resource utilization, frequent feature releases, and increased application stability. However, the key to ensuring a more stable production environment is to integrate security into the DevOps pipeline. A conventional approach of templates and checklists will not work. 

So, without further ado, check out these 9 best practices to improve the security of DevOps, which remains the largest single remaining barrier to continuous delivery.

1. Involve Security Teams in the Architecture Process

During the architecture process, the DevOps team will focus on meeting all requirements for building the Cloud Infrastructure. Security teams, at this point, should get involved to understand the scope of the task as different elements in the architecture process need protection in different ways. 

Depending on the security model you choose, there is a unique security paradigm. Engage in Threat Modeling to identify what elements require additional focus, for example privacy, and the actions that need immediate completion to guarantee the utmost protection.  

2. Utilize Code Reviews for Security

Conducting code reviews is a common practice in DevOps but is often disregarded in terms of security. This can have many implications, like stolen code, inability to identify malicious code, and unresponsive code. The security team should educate workers on secure coding techniques to mitigate any associated risks.

This process involves understanding the current code review process being utilized by DevOps and validating different items using Static Code Analysis as part of the building process, to identify potential vulnerabilities. This will help developers in changing coding techniques to meet security requirements.

3. Conduct a CloudFormation Scripts Audit

To improve security, you need to get into the nitty-gritty details of the DevOps world, which includes infrastructure as code (IAC). This is where developers employ automation for using configuration and script files. From a security standpoint, you can include automated checks against each script. 

For instance, if a developer creates an infrastructure script for storing files with public access to the internet, it can immediately be identified as an error. Combined with threat modeling, you can use powerful tools to validate the security of the infrastructure, every time a developer makes a change. 

4. Run Post-Build Security Testing

Running tests of automated builds and units is a core part of DevOps. This presents a great opportunity for security teams to provide valuable insights by adding security testing tools, which have the ability of automating the validation process and making the code checking process more efficient.

Previously, running tests at the end of the project resulted in significant delays, but a real-time automation process eliminates the struggle. If you are part of the security team, it’s your job to investigate automated security testing tools and integrate them into the build process. 

5. Overhaul the Operating System

If you are using scripting to create and build servers, consider adding in the scripts to lockdown the OS, too. It’s time we moved from “Infrastructure as Code” to “Secure Infrastructure as Code.” This means we need to be intelligent and proactive to identify flaws. If you apply OS hardening at the end of the project, you run the risk of the application malfunctioning. 

If applied at the beginning, you gain the ability to identity issues up front instantly, while also allowing security teams to work with developers in search for different ways of performing functions, in case the hardening has to be relaxed. If such a thing occurs late in the project, the development team will force the issue through. Use resources like CIS Benchmark or SANS Institute SCORE Security Checklist

6. Harden Your CloudDeployment 

If done correctly, cloud services can deliver incredibly secure infrastructures. At the same time, it can also open a gateway to new security issues. Review your CloudDeployment strategy (MFA tokens, IAM roles, Security Groups, Standard AMIs), and work out how your company is using the cloud. 

This includes analyzing the segregation of duties. Do your developers have rights to change the production environment? Those that have higher authority and access to significant permissions should be accessing the console via two-factor authentication and an authorized dedicated IP, company-based or from a secure VPN service (in case you are outsourcing and need to provide your third-party users with remote access, too). 

7. Scan the OS and Applications for Vulnerabilities

The majority of hacks and attack vectors focus on exploiting the vulnerabilities in the applications or OS that are running on the servers. If you want to enhance security, there should be rigorous monitoring and analysis of all apps and automated testing tools in the DevOps pipeline. 

Your focus should be on running regular vulnerability scans to remediate and eliminate any loopholes in security, whether that be on the OS or the applications it is running. When selecting software, identity components with known risks and work with developers carefully to fix select components. 

8. Integrate Phoenix Upgrades 

Ever found yourself in trouble while responding to security threats? Failed to deploy a patched version across your application/software in time? Phoenix Upgrades are the key to speeding the process. Each time you deploy an update, you build a fresh server, instead of applying it on an existing one.

Not only does this increase your agility in rolling out new versions, but it also improves your ability to tackle security issues. A patched version can be deployed across your entire cloud environment safely, while also reducing the risk of configuration drift and technical debt. 

9. Conduct Real-Time Auditing of Your Production Environment

Post-deployment visibility is incredibly important and relies on the level of auditing deployed. As a general rule, you should have standard auditing levels, across different applications and server roles. To improve security, you need a tool that gives you the audited data needed without swamping your servers concurrently. 

Once all these elements are in place, you can audit production at any point, to identify if anything has drifted from the defined security profile. Of course, this requires considerable work with the development team to set logging levels and ensure that you configurations do not drift. 

Wrapping Things Up

DevOps is here to stay for a good time. After all, it has been widely accepted as the new way of developing, releasing, and updating products in the product lifecycle. As such, security professionals need to let go of traditional security, and embrace solutions that work with DevOps. The above are a good starting point, but there is always room for more improvement and adaptation, depending on your needs.

Looking for a way to satisfy both DevOps and Infosec requirements without internal crypto expertise? GlobalSign can provide DevOps teams with one standards-compliant, outsourced CA to cover all of their digital certificate needs, e.g. private, public, flexible certificate templates, and short-lived certificates. Check out PKI for DevOps now. 

Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.

Share this Post