Cybersecurity Professionals in the World of DevOps
What is DevOps? And how does it relate to the SDLC, Scrum/Agile Methodologies, the CI/CD Pipeline, and why should you care?
The technologies and methods used to build, deploy, and manage enterprise IT systems has evolved significantly in recent years. The biggest driving force behind all of this change is the need for businesses to build and deploy systems faster than ever which is enabled by the ability to deploy systems instantly into a public cloud service such as AWS, Azure, or Google.
As systems developments and deployments move faster, so may also the velocity of new vulnerabilities and risks. As such, comes the need (and inherent capability) to "shift left" the integration of cybersecurity into the DevOps process and then, as a part of the very nature of DevOps, to continuously improve the security iteratively.
To achieve this it's imperative that we, cybersecurity professionals, understand how DevOps works so we may better engage, support, and facilitate security throughout the DevOps process.
First, let's start at the beginning with the SDLC.
SDLC (The Software Development Lifecycle) is the process that teams use to design and build high-quality software in a cost-effective and time-efficient manner.
There are entire books on the topic but for our purposes, we'll keep it simple.
Some popular SDLC models include Waterfall, Iterative, Spiral, and Agile just to name a few.
Source: https://aws.amazon.com/what-is/sdlc/
DevOps is a software development philosophy, methodology, and culture characterized by the combination and collaboration of both development and operations teams as a way to increase the efficiency and speed of the Software Development Lifecycle (SDLC).
While there is no single definition of DevOps, a successful DevOps strategy is built upon the "DevOps Trinity":
Let's look at each part of this "DevOps Trinity" a little bit closer.
1. People and Culture:
Agile began as a software development philosophy defined by 4 values and 12 principles known as the Agile Manifesto. The four values read:
For more details on Agile and the 12 principles, visit the link below.
Source: https://teamhood.com/agile-resources/what-is-agile/
Today, Agile has evolved from focusing on just software development into a more generalized project management framework that centers around incremental and iterative steps to completing projects. In Agile processes, there is constant feedback, allowing team members to adjust to challenges as they arise and stakeholders an opportunity to communicate consistently.
Source: https://www.coursera.org/articles/what-is-agile-a-beginners-guide
Scrum is one of the most popular frameworks used to practice Agile. Scrum follows the Agile project management framework and builds upon it by organizing projects in short-term iterations of work called Sprints. To ensure these Sprints are effective, there are 4 specific events to be held during each of them – Sprint Planning, Daily Scrum, Sprint Review, and Sprint Retrospective. This iterative approach allows Scrum to produce work and test it quickly.
https://teamhood.com/agile-resources/what-is-scrum/
Scrum also brings together cross-functional teams, including developers, QA, and product owners, to work on a common goal.
Source: https://www.garudax.id/pulse/breaking-down-silos-how-scrum-promotes-collaboration-teams-/
Recommended by LinkedIn
2. Practices:
DevOps is governed by a collection of technical practices which includes:
Source: https://about.gitlab.com/topics/devops/
3. Tools:
DevOps practices occur in a series of DevOps stages including Plan, Develop, Build, Test, Package, Release, Configure, and Monitor.
For each of these DevOps stages, there are tools that can be used to facilitate and even automate the work such as:
Source: https://www.simplilearn.com/tutorials/devops-tutorial/devops-tools
and Source: https://digitalvarys.com/tools-for-devops/
CI/CD Pipeline is the result of performing the stages of DevOps in a Scrum/Agile manner and in alignment with the DevOps practices of continuous integration and delivery.
Integration is the common stage which integrates any stage of DevOps with another stage of the DevOps and can be facilitated through:
Continuous Integration Tools: Jenkis, Bamboo, Travis, TeamCity, CircleCI.
Public Cloud Providers, such as Amazon AWS, Microsoft Azure, and Google GCP, support and even enable DevOps with integrated and automated CI/CD pipeline capabilities. Such integrations allow developers to rapidly and continuously deploy code changes directly into the cloud environment.
Rapid continuous deployments to the cloud can be further leveraged by designing loosely coupled microservices which enables changes in one service without affecting another which limit the blast radius caused by errors.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/build-a-loosely-coupled-architecture-with-microservices-using-devops-practices-and-aws-cloud9.html
Bonus Topic: I won't go into detail on this topic but it's worth at least mentioning that "understanding what problems containers, Docker, and Kubernetes solve is essential if you want to build modern cloud-native apps."
Source: https://cloudblogs.microsoft.com/opensource/2019/07/15/how-to-get-started-containers-docker-kubernetes/
In conclusion, DevOps is 1) a culture and philosophy built on collaboration and communications, 2) a set of agile practices rooted in continuous and iterative improvement, and 3) the utilization of tools to automate the practices of building, deploying, and operating IT systems -- all rolled into one. The ultimate purpose of DevOps is to build, deploy, and operate systems that are built better and to do it all faster and more efficiently.
Now that you have a foundational understanding of what DevOps is, let's consider some cybersecurity questions, concerns, or considerations.
1) With so many tools and systems used in DevOps, how do we ensure the security and resilience of every tool and system in the DevOps ecosystem from start to finish? For example: what happens if our code repository or artifactory were to be deleted, what if access was lost or accounts locked out, or what if someone were to steal our proprietary code? How do we manage and monitor access to these tools and systems? And so on...
2) While DevOps decreases the time to develop and deploy systems, might DevOps also speed up the deployment of new vulnerabilities and risks alongside those very systems? How do we integrate appropriate security into the project from the beginning and how do we test and improve the security alongside functionality testing. What about code and operating system vulnerability scans and, if vulnerabilities are found, what do we do? How do we do all of this without slowing down the DevOps process?
Ultimately, when cybersecurity (as a team, philosophy, and practice) becomes fully integrated and involved with the day-to-day of DevOps from start to finish, DevOps evolves in to DevSecOps which, in the opinion of this author, should be the ultimate goal for any cybersecurity program or team supporting environments implemented through DevOps practices.
UPDATE: On June 28, 2023, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity information sheet (CSI) to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps). The CSI explains how to integrate security best practices into typical software development and operations (DevOps) Continuous Integration/Continuous Delivery (CI/CD) environments.
https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF
What timing! On June 28, 2023, the (NSA) and (CISA) released guidance for improving defenses in cloud implementations of DevSecOps. https://media.defense.gov/2023/Jun/28/2003249466/-1/-1/0/CSI_DEFENDING_CI_CD_ENVIRONMENTS.PDF
Very relevant. Developers getting the access they need without compromising speed and security. Thanks for sharing, Jeremy.