DevSecOps isn't just yet another meaningless buzzword, it's an approach that has a number of steps and real technologies that can be used to help effectively reduce risk. That's the message coming out of a session at the Black Hat USA conference in Las Vegas titled, "DevSecOps: What, Why and How."
Anant Shrivastava, regional director for Asia Pacific at NotSoSecure explained that an idealistic goal for many organizations is to be secure by default. DevSecOps is an approach that integrates security via tools into both the developer and operations workflow and can help to create a culture of security as code within an organization.
"DevSecOps makes it easier to manage the rapid pace of development and large scale secure deployments," Shrivastava said. "Security has to be part of the process, it can't be a step that only occurs at the end."
In the modern DevOps approach to code development, a developer builds code in an IDE (Integrated Developer Environment), checks code into a source code repository and then moves code to a continuous integration, continuous deployment server out to production deployment. Shrivastava said that at each stage of the DevOps process there are tools and controls that can be utilized to enable better security.
The first step in the DevSecOps pipeline is to have what Shrivastava referred to as "pre-commit hooks" for a developer's workstation to make sure that sensitive information such as access keys are not directly integrated into code commits. IDE plugins can also be used to help developers identify potential bugs in code that could lead to exploitable vulnerabilities.
Software Composition Analysis (SCA) is another key step for developers embracing a DevSecOps model.
"We don't write software as much as we build on frameworks with the biggest portion of software now being third party libraries," Shrivastava said. "Software Composition analysis performs checks to identity vulnerable in outdated third party libraries."
Static analysis is the next step in the DevSecOps pipeline. Shrivastava explained that static analysis tools enables automated code review that can find software defects such as SQL injection and Cross Site Scripting (XSS). Static analysis runs on code that is not running. The corollary is Dynamic analysis, which looks to identify defects in running code.
Moving from development into production, DevSecOps also seeks to help secure the infrastructure that is used for application deployment. That where the idea of having security defined as code within infrastructure fits in.
"Infrastructure as code allow you to document and have version control for infrastructure," he explained. "It allows you to perform an audit on the infrastructure and the whole environment can be as secure as the base image."
Having all the different DevSecOps controls and tools in place can also add a new layer of complexity as each of the tools has its own report format. That's why Shrivastava said that there is also a need for vulnerability management in the DevSecOps pipeline, to act as a central dashboard for all the different reports.
Finally, even with all the various tools to check code at different levels, vulnerabilities will still get through. Shrivastava said that once code is deployed, it's imperative to have alerting and monitoring tools in place to see if anything malicious is still able to get through.
"We work under the whole assumption that anything can be hacked, but you can still make life miserable for the attackers, that's the game," he said.