DZone: Breaking Down the DevSecOps Approach
Take a look at how DevSecOps truly works to make your apps more secure.
To keep pace with today’s on-demand world, organizations have shifted toward modern development practices like DevOps to immediately deliver products and services to their customers. DevOps merges software development and software operations teams, so they are no longer “siloed” under one roof. With DevOps, the development and operations teams work in concert to more cost-effectively operate and evolve applications at high speed to meet marketplace customer demands.
However, many organizations are realizing that security must play an integral role in ensuring that continuous delivery practices also embrace good security processes. What good is delivering applications at such a rapid pace if sensitive customer information is left in jeopardy?
To obtain the full potential of DevOps, organizations must ensure that security controls are an integral part of the DevOps process from the very beginning. As a result, organizations are embracing an enhanced DevOps model — called “DevSecOps.”
The Role of Security in Continuous Delivery Practices
Security has typically existed as its own practice as part of IT. Their responsibilities included mostly traditional security practices like anti-virus and perimeter protection like firewalls. However, as perimeter protection evolved, hackers found it easier to rely on human error to hack a network, instead of battling advanced security perimeters.
In large organizations, hackers know someone is likely to open a phishing email and click on a link jeopardizing their identity. Once that happens, the hacker is in and has access to a plethora of sensitive customer information. When security procedures are not part of the overall development process, organizations risk the chance that security controls have not been audited properly or consistently enforced with every new release or new application/API/microservices.
DevSecOps changes that approach and integrates security into IT processes from the beginning. By integrating security controls, organizations can proactively and consistently address different security concerns across the enterprise and enhance identity and access control (IAM) models to stave off hackers.
However, the security controls must also conform to a continuous delivery cycle, meaning, they must fit into a model that is streamlined via automation to be deployed and managed like modern-day applications. This means security and identity services should be deployed and managed in the same manner as any application code. Cloud-native capabilities, clearly defined interfaces, REST and JSON-enabled interfaces and containerization are some of the attributes that make security and identity services look and feel like modern-day applications. One security control that becomes a priority is dynamic authorization.
Integrating Dynamic Authorization
Dynamic authorization is an ideal choice for DevSecOps because it can be deployed in sync with a continuous deployment/integration cycle. If the identity and access management (IAM) systems chosen cannot be deployed and managed in the same manner as APIs and microservices, then it makes the DevSecOps process more difficult and less automated.
Dynamic authorization delivered with Attribute Based Access Control (ABAC) authorizes access to resources based on attributes. Authorization is determined dynamically at runtime by evaluating centrally managed policies and rules. With dynamic authorization, organizations can automate policy changes the same way code changes are automated.
Since the dynamic authorization engine can be managed like a microservice, it gives the same flexibility, deployment and automation characteristics as application microservices. In the end, the life cycle of redeploying the application and security elements can be fully automated. In addition, any changes to policies can also be part of the automation process. Similarly, organizations can automate the activation of additional authorization servers for peak load conditions and remove them when less capacity is necessary.
Build Docker image
docker build -t gcr.io/project_id/repository_name .
Push Docker image to GCR (Google Cloud Registry)
docker push gcr.io/project_id/repository_name
Create ConfigMap for deployment and domain configuration files
kubectl create configmap name_of_configmap data_source …
Deploy the authorization service
kubectl create -f authorization service deployment yaml descriptor
Expose authorization service to the external network
kubectl expose deployment deployment_name --name=service_name
The end result of this example results in a deployment that is illustrated in the diagram below.
With DevSecOps there are a variety of benefits businesses can realize. First, the approach is automated, so pressure is taken off the developer team because they will no longer have to write security rules into their code. Also, access rules are enforced consistently across applications, APIs, microservices and data resources, reducing the risk of overexposure to data, ultimately minimizing the risk of a security breach. Developers now can spend time on business functionality instead of worrying about access security.
The DevSecOps approach allows organizations to serve their customers better and compete more effectively and securely in the market by enabling much faster application deployment, which is a must in today’s IT environment. With dynamic authorization embedded directly into the development cycle, organizations can automatically address a wide variety of security aspects across the enterprise and ensure a continuous and secure development cycle.
Senior Director, Strategic Communications