The ReleaseTEAM Blog: Here's what you need to know...
Adding Security to DevOps
Developer and Tool Security
Cyberattacks are now targeting development-, container-, and cloud-based tools that organizations may not immediately think of as being accessible. In 2018, Tesla was hacked via an unsecured Kubernetes, which the hackers used to access and use Tesla’s AWS instances for cryptomining. In 2019, a cryptojacking worm called Graboid, infected unsecured Docker containers.
Perform a security audit on your toolchain to understand where your vulnerabilities lie, then ensure you are patching your tools and scanning for vulnerabilities. In the case of containers, use trusted images that have been vetted by security and follow best practices for securing access.
Identity and Access Management
Identity and Access Management (IAM) solutions seek to centrally manage identity and access across DevOps tools, whether located on-premises or in the cloud. This is important not only for making sure developers have secure access to the tools they need but also for controlling API access and permissions. As DevOps teams automate more routine and repetitive tasks, an insecure account can quickly devastate code repositories, push bad code to production, or open up new vulnerabilities.
Application Security Testing
Two main types – Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) can scan your applications for vulnerabilities. SAST scans the source code for known vulnerabilities, while DAST scans without having access to the code. In addition to these two scans, DevOps teams should perform dependency scans against libraries and open source components that they use to build their applications.
Continuously Improve Security
Just as DevOps teams do not stop looking for ways to improve efficiency after removing a single roadblock, they cannot implement security only once. Changes to toolsets, approval flows, release processes, and personnel all necessitate continued vigilance. Developers and Operations may not have the inherent knowledge to identify risks, so the Security team should be involved throughout the SDLC.
Learn more about ReleaseTEAM’s DevSecOps services and tools.