As DevOps has gained popularity, organizations have started asking, “what about X department?” This trend has resulted in new terms such as “DevSecOps,” which elevates the need for security in your DevOps processes. Incorporate security from the very beginning, regardless of whether you call it DevOps or DevSecOps. Unfortunately, security is still sometimes left until the code is ready for release. Let’s look at a few areas where you might add security earlier in the software development lifecycle (SDLC).

Developer and Tool Security

Cyberattacks are now targeting development-, container-, and cloud-based tools that organizations may not immediately think of as being accessible. In 2018, Tesla was hacked via an unsecured Kubernetes, which the hackers used to access and use Tesla’s AWS instances for cryptomining. In 2019, a cryptojacking worm called Graboid, infected unsecured Docker containers.

Perform a security audit on your toolchain to understand where your vulnerabilities lie, then ensure you are patching your tools and scanning for vulnerabilities. In the case of containers, use trusted images that have been vetted by security and follow best practices for securing access.

Identity and Access Management

Identity and Access Management (IAM) solutions seek to centrally manage identity and access across DevOps tools, whether located on-premises or in the cloud. This is important not only for making sure developers have secure access to the tools they need but also for controlling API access and permissions. As DevOps teams automate more routine and repetitive tasks, an insecure account can quickly devastate code repositories, push bad code to production, or open up new vulnerabilities.

Application Security Testing

Two main types – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) can scan your applications for vulnerabilities. SAST scans the source code for known vulnerabilities, while DAST scans without having access to the code. In addition to these two scans, DevOps teams should perform dependency scans against libraries and open source components that they use to build their applications.

Continuously Improve Security

Just as DevOps teams do not stop looking for ways to improve efficiency after removing a single roadblock, they cannot implement security only once. Changes to toolsets, approval flows, release processes, and personnel all necessitate continued vigilance. Developers and Operations may not have the inherent knowledge to identify risks, so the Security team should be involved throughout the SDLC.

Learn more about ReleaseTEAM’s DevSecOps services and tools.