Software development within the federal government often begins with an alignment to the Authorizations to Operate (ATO) and related, required security processes. Sometimes, these are an impediment to DevSecOps. So how can teams implement sound DevSecOps into an environment with strict controls and processes?
Hasan Yasar works in Secure Lifecycle Solutions at the Software Engineering Institute at Carnegie Mellon University (@securelifecycle). They are working on implementing Continuous Authorization as a more secure and DevSecOps-friendly process. He presented on this topic in Continuous Authorization With DevSecOps at the All Day DevOps conference.
Hasan began by making the case for DevOps, including covering four fundamental principles:
- Infrastructure as Code (IaC)
Implementing these well is the goal of DevOps. Continuous Authorization is another evolution in the process. Continuous Authorization “changes the perspective of authentication from an event to a process”, says Frank Dickson, a research director at IDC, a global market intelligence firm. Dynamic authentication examines attributes that change and continually looks to validate the authentication.
Continuous Authorization makes systems more secure because it:
- reduces errors during development;
- provides continuous feedback and monitoring;
- is always available;
- is repeatable;
- reduces time to deploy and resolve errors;
- and is responsive to business needs.
Continuous Authorization eliminates the error-prone human checking through the pages-long Excel spreadsheet of security requirements. It also continuously monitors the system to ensure compliance with the requirements.
Applying Continuous Authorization to DevOps
Applying Continuous Authorization begins with seeing the application lifecycle through the DevOps mindset. This includes security automation with IaC, Continuous Integration, and Continuous Deployment. Hasan illustrated how Continuous Authorization integrates at each step in a DevOps Factory.
The DevOps Factory runs from feature request to deployment. It is iterative and incremental development, includes automation in every phase, provides continuous feedback, metrics, and (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/continuous-authorization-with-devsecops