DevOps and DevSecOps, these are the two words that most of the IT Enterprises seem to be fixated on in the last several years. While DevOps aims to shorten the software development life cycle and continuous delivery of applications, DevSecOps embeds Security into the DevOps life cycle.
DevOps deals with the process and tools and DevSecOps enables development and security teams to securely build and deploy code without creating friction. DevOps teams use several tools to achieve Continuous Integration/Continuous Deployment and as the recent SolarWinds breach emphasized, it is essential to protect the identities of the users and systems using these tools. This blog series will focus on the security aspects such as authentication and authorization of user and machine identities and how they play a key role in the DevOps/DevSecOps pipeline:
- Code/Commit
- Build
- Test
- Deploy
- Monitor
Code/Commit:
Code is the first DevOps process where development teams use tools such as Git and JIRA to commit their secured code into these repositories. As part of checking in the code, the developer authenticates using the credentials stored in the repository database. Part 2 of this blog series will discuss the best practice and recommendations for storing the identity of the user, required access control, rotating SSH Keys and tokens.
Build:
The Build step in the DevOps process allows continuous integration. The development teams typically use build tools to commit the code to the repositories. The build tools generally use service accounts and privileged users to connect across the repositories and the build tool itself. These application or service credentials are either stored in the internal database of these build tools or they can leverage an external authentication mechanism. Identity plays another important role in this phase as software vendors perform operations like code/container image signing to prove the authenticity & origin of the software.” Part 3 of this blog series will focus on how identity plays a key role in this continuous integration process and ways to protect these identities.
Testing:
Software testing in DevOps requires automation for continuous testing. Testing teams use various testing tools and build scripts to automate test suites. These scripts usually contain “test “user credentials to login to various applications and test the functionality of these applications. For example, Cross Site Scripting aka XSS, is a common security issue for web applications where one user is executing a script on another’s page. Since the testing team uses “test” user credentials for testing, it is very important to secure these “test” user identities. Part 4 of this blog series will highlight the methods and recommendations on securing these user identities.
Deployment:
Deployment is one of the most important process steps in the DevOps pipeline. Automation of the deployment process enables the DevOps team to achieve the continuous building and deployment of code. The team uses tools for automation of the deployment process. Part 5 of this blog series will discuss the control mechanism and best practices on how user identities must be managed during the deployment process.
Monitoring:
Operations team heavily depend on monitoring tools to identify inconsistent and inappropriate behavior of the applications and systems in production and correct them. These monitoring tools deploy agents on the application host to detect system anomalies and communicate to the central server. Some of the common patterns employed in the monitoring tools are using root accounts, writing the logs in to a Check Result folder, accessing querying monitoring agents. The last part of this blog series will focus on securing identities that are used as part of monitoring.
Conclusion:
Enterprises are embracing DevOps processes and tools to accelerate time to value through a shortened systems development life cycle and continuous delivery with high software quality. This focus on faster time to value should not be at the expense of security. With 81% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials, DevSecOps teams must ensure their charter covers the security of user and machine identities, as well. Stay tuned for a more in depth look at how to apply identity security best practices to the DevOps pipeline.
About the Author: The DevSecOps Technical Working Group subcommittee was formed in July 2020. The team, led by Saravanan Thiyagarajan, includes Ramnath Krishnamurthi, Rohini Rani-Barik, Carlos Garcia, Eric Lordahl, Max Bareither, Stefan Lesaru, Thani Anandan and Vikram Chandrasekaran.