Is Your DevOps Secure?

<p>DevOps has become a competitive advantage for many organizations. However, many of these processes are not secure and raise serious challenges for cybersecurity professionals. Here’s how Tenable can help.</p>

<p>DevOps gives business leaders a lot to be excited about. After all, this new approach to software development drastically improves time to market for new services, making it possible to outpace competitors. Organizations have realized other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps.</p>

<p>It’s no surprise, then, that DevOps has <a href="https://go.forrester.com/blogs/2018-the-year-of-enterprise-devops/">finally reached mainstream status</a>, with one research report indicating that <a href="https://www.ca.com/us/modern-software-factory/content/how-agile-and-devo… of organizations</a> have implemented or plan to implement DevOps. DevOps is an important differentiator as <a href="https://hbr.org/2016/04/you-dont-have-to-be-a-software-company-to-think-… companies eventually become software companies</a>. </p>

<p>On the flip slide, DevOps gives security leaders a lot to be worried about. According to the latest <i><a href="https://puppet.com/resources/whitepaper/state-of-devops-report">State of DevOps Report from Puppet and DORA</a></i>, high IT performers with mature DevOps processes deploy code 46 times more frequently than low IT performers. In raw numbers, that’s more than 1,400 deployments per year for the high IT performers, compared to only 30 for the low performers. </p>

<p>Unfortunately, security teams are largely disconnected from this continuous software delivery process, relying instead on downstream gates designed for the era of waterfall development. <a href="https://sdtimes.com/agile/hpe-security-fortify-report-finds-application-… 20% of organizations</a> incorporate any security testing during development, with another 17% stating they are not using any technologies at all to protect their applications. </p>

<p>To make matters even more difficult, security teams are often <a href="https://dzone.com/articles/10-tips-for-integrating-security-into-devops"… by developers</a> in the organization by 100:1. How can security teams possibly keep up with DevOps velocity while being constrained by limited resources? </p>

<p>Hackers are already taking advantage of poor DevOps cyber hygiene with cryptomining malware attacks using <a href="https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-… Hub backdoors</a>, <a href="https://www.bleepingcomputer.com/news/security/tesla-internal-servers-in… open Kubernetes accounts</a>, and <a href="https://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/">unpatched Drupal web applications</a>. While attacks today are harnessing vast amounts of computational power to generate cryptocurrency revenue, it doesn’t take much imagination to envision future attacks targeting sensitive enterprise or customer data. </p>

<p>Security professionals need to rethink traditional vulnerability management and embrace new security methodologies to secure DevOps processes. We at Tenable believe a new security discipline, called <a href="https://www.tenable.com/cyber-exposure/critical-risk-metric">Cyber Exposure</a>, is required to cover the breadth of the modern attack surface (e.g., cloud services, mobile devices, IoT/OT assets) and provide a new depth of insight into vulnerability data for more accurate visibility and decision-making. Cyber Exposure will help security leaders incorporate new secure DevOps principles to better manage and measure cyber risk by providing:</p>

<ul><li><b>Continuous discovery and scanning</b>. Monthly or quarterly scans do not cut it in the DevOps world. Continuous software delivery means the environment is constantly changing, requiring continuous discovery and assessment of cyber risk. This should occur across the software development lifecycle—from development through operations—to provide full visibility. </li>
<li><b>Security integration into DevOps processes</b>. Security tests and controls need to be an integral part of the software development lifecycle and embedded into the development pipeline. Vulnerabilities, malware, and misconfigurations should be treated as any other type of software defect that diminishes code quality and should be remediated as early as possible in the development lifecycle.</li>
<li><b>Automation of security workflows</b>. To support the scale and speed of DevOps, security controls must be exposed programmatically with APIs into DevOps systems to take advantage of automation throughout the software development lifecycle. For example, instead of security teams manually assessing images during predefined security gates, security testing can be triggered automatically to assess all new builds as they are created.</li></ul></p>

<p>Tenable offers a variety of solutions to help you on your secure DevOps journey. <a href="https://www.tenable.com/solutions/cloud-security">Cloud connectors in Tenable.io</a> continuously track asset changes to ensure all cloud workloads are known and assessed for vulnerabilities. <a href="https://www.tenable.com/products/tenable-io/container-security">Tenable.io Container Security</a> plugs into continuous integration and continuous delivery (CI/CD) systems to remediate vulnerabilities and malware during development. <a href="https://www.tenable.com/blog/intro-to-the-tenable-io-api">Well-documented APIs in Tenable.io</a> allow you to automate security scans and integrate controls in your workflows. And earlier this month, <a href="https://www.tenable.com/press-releases/key-enhancements-to-tenable-cloud… announced</a> several new Tenable.io platform enhancements to support heterogeneous cloud platforms and enable security to be built into the entire software development lifecycle from build to production. </p>

<p>In fact, here’s how one Tenable customer is taking advantage of many of these secure DevOps capabilities today:</p>

<blockquote>“The Tenable.io AWS connector is the key to automating our DevSecOps pipeline. It allows us to gain real-time visibility into our cloud environment to track assets as they are spun up and down so that our other tools can be integrated into the pipeline in an automated fashion.” — Mick Kohler, Senior Manager, Cyber Security, Enterprise Security, Sysco</blockquote></i>

<p>Want to learn more about securing DevOps? The following resources will help you on your journey:</p>
<ul>
<li>Watch our on-demand webinar, <a href="https://www.tenable.com/webinars/panel-discussion-securing-devops-advice… DevOps, Advice from the Frontlines</a>, featuring three industry experts who have crossed the security-DevOps divide.</li>
<li>Visit our <a href="https://www.tenable.com/solutions/application-security">Application Security & DevOps solutions page</a>.</li>
<li>Read our article, <i><a href="https://www.tenable.com/whitepapers/information-security-in-the-devops-a… Security in the DevOps Age: Aligning Conflicting Imperatives</a></i>.</li>
<li>Try <a href="https://www.tenable.com/try-io">Tenable.io for free</a> for 60 days.</li></ul>