Is Your DevOps Secure?

DevOps has become a competitive advantage for many organizations. However, many of these processes are not secure and raise serious challenges for cybersecurity professionals.

DevOps gives business leaders a lot to be excited about. Organizations have realized other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps.

On the flip slide, DevOps gives security leaders a lot to be worried about. According to the latest State of DevOps Report from Puppet and DORA, high IT performers with mature delivery processes deploy code 46 times more frequently than low IT performers. In raw numbers, that’s more than 1,400 deployments per year for the high IT performers, compared to only 30 for the low performers.

Unfortunately, security teams are largely disconnected from this continuous software delivery process, relying instead on downstream gates designed for the era of waterfall development. Only 20% of organizations incorporate any security testing during development, with another 17% stating they are not using any technologies at all to protect their applications.

To make matters even more difficult, security teams are often outnumbered by developers in the organization by 100:1. How can security teams possibly keep up with the velocity while being constrained by limited resources?

Hackers are already taking advantage of poor cyber hygiene with cryptomining malware attacks using Docker Hub backdoors, wide open Kubernetes accounts, and unpatched Drupal web applications. While attacks today are harnessing vast amounts of computational power to generate cryptocurrency revenue, it doesn’t take much imagination to envision future attacks targeting sensitive enterprise or customer data.

Security professionals need to rethink traditional vulnerability management and embrace new security methodologies to secure DevOps processes. We believe a new security discipline, called Cyber Exposure, is required to cover the breadth of the modern attack surface (e.g., cloud services, mobile devices, IoT/OT assets) and provide a new depth of insight into vulnerability data for more accurate visibility and decision-making. Cyber Exposure will help security leaders incorporate new secure DevOps principles to better manage and measure cyber risk by providing:

• Continuous discovery and scanning. Monthly or quarterly scans simply do not cut it anymore. Continuous software delivery means the environment is constantly changing, requiring continuous discovery and assessment of cyber risk. This should occur across the software development lifecycle—from development through operations—to provide full visibility.
• Security integration into DevOps processes. Security tests and controls need to be an integral part of the software development lifecycle and embedded into the development pipeline. Vulnerabilities, malware, and misconfigurations should be treated as any other type of software defect that diminishes code quality and should be remediated as early as possible in the development lifecycle.
• Automation of security workflows. To support the scale and speed of DevOps, security controls must be exposed programmatically with APIs into DevOps systems to take advantage of automation throughout the software development lifecycle. For example, instead of security teams manually assessing images during predefined security gates, security testing can be triggered automatically to assess all new builds as they are created.

How to Secure Public Cloud and DevOps? Get Unified Visibility.

One of the most transformative changes in the IT industry over the last decade has been the adoption of public cloud (IaaS) services such as AWS, Azure and GCP.

Public clouds are more than “just” running servers in a remote data center. They’re all about using infrastructure as code. This means that the various building blocks they offer – storage services, virtual machines and containers – as well as the underlying network can all be modified via calls to the public cloud APIs.

For all its advantages, public cloud and DevOps adoption also means the use of many new technologies – and a drastic increase in the velocity of change across the attack surface. This leads to reduced visibility into the infrastructure itself and often more complexity, which tends to be the enemy of security.

Cybersecurity starts with cyber hygiene

We believe that security starts with effective cyber hygiene – making sure every bit of the computing infrastructure is accounted for, configured properly and up-to-date. Keeping an eye on the state of the infrastructure and making sure it’s up-to-date reduces the cyberattack surface dramatically. After all, 99% of vulnerabilities exploited today are ones known by security for at least 12 months.

However, cyber hygiene is difficult to maintain in the dynamic world of public cloud. Many security teams we’ve talked to don’t know what’s running, let alone how up-to-date and tightly configured these components are.

Look no further than the many problems stemming from the misuse of public cloud infrastructure, such as default SSH credentials.

Public cloud is a boon to security

In spite of these high-profile incidents, we consider the disciplined use of public cloud as a boon to security – as long as correct methodologies and technologies are used wisely. Immutable containers, microservices and automated security testing can actually improve an organization’s level of security.

But, many security solutions are built with physical, on-premise data centers in mind – not with the vital levels of scale and visibility required for public cloud. Security teams need this scale and visibility to keep track of what’s happening in their public cloud infrastructure.

Cyber Exposure: Providing greater visibility into cloud security

The discipline of Cyber Exposure will help security leaders to manage and measure the cyber risk of public cloud infrastructure. Traditional vulnerability management practices must evolve to provide greater visibility into cloud security through:

• Live discovery and continuous monitoring of cloud assets
• Integration between the static and dynamic scanning of cloud assets across the software development lifecycle
• Automated, seamless workflow integration with DevOps

Today, we’re excited to announce new and important product capabilities in Tenable.io to help you embrace the use of public cloud:

• New Cloud Connectors for Microsoft Azure and Google Cloud Platform: Continuously discover and track asset changes in Azure and GCP cloud environments to ensure all cloud workloads are known and assessed for vulnerabilities. Together, with the existing Cloud Connector for AWS, these new connectors provide a unified view of cybersecurity risks across the top three most widely deployed public cloud (IaaS) platforms.
• New container runtime scanning: Gain visibility into the Cyber Exposure of containers running in production. This important product enhancement is enabled by the combination of Tenable.io Container Security and Tenable.io Vulnerability Management working together to seamlessly integrate security into the end-to-end DevOps process – from build to production.
• New web application discovery: Identify web applications owned and deployed across an organization, including previously unknown applications, to understand Cyber Exposure throughout your web application estate. This new capability solves a critical visibility challenge – the number of web applications deployed is often much higher than what the security team is aware of.

Juha Piispa, Moonsoft Oy