SBN

When DevOps as a Service Meets Security

DevOps is one of the latest IT methodologies to be offered ‘as a Service’. With DevOps as a Service (DaaS), all tasks related to selecting, managing and maintaining DevOps tools and infrastructure, policies and processes are handled centrally, much of it automated, by a specialist team and provided – as a service – to all the development teams across the organization.

The benefits of DaaS are obvious. Individual development teams no longer need to spend considerable time deploying and configuring the tools they need to run their DevOps pipelines. Expertise in the different DevOps tools and underlying infrastructure is no longer required – it’s all pre-selected with the relevant tools and technologies automatically deployed for each development team. This allows developers to focus their time on developing products rather than managing the ‘plumbing’ of their DevOps pipelines.

There are also clear business and operational benefits of having a standardized and streamlined process for implementing DevOps across the organization. It supports enterprise governance and enables central oversight and visibility into development workloads and productivity, which leads to accountability and ultimately optimized business processes. And there are resource efficiencies as well as cost savings stemming from standardizing on a select set of DevOps tools for the organization.

But where does that leave DevSecOps, which is rapidly gaining traction to preemptively address the catastrophic cybersecurity threats within DevOps processes?

DevSecOps integrates application security (AppSec) tools and processes within DevOps pipelines to enable developers to find and fix critical vulnerabilities within the software development life cycle (SDLC), not separate from it. It enables developers to produce more secure applications right out of the gate and thus proactively prevent last minute deployment delays that occur when the security team identifies critical vulnerabilities late in the game, as well as many of the security problems that create breaches in production. DevSecOps aims to make application security testing as seamless and transparent as possible for developers, removing the friction points that traditionally exists between the development and security teams.

By its very nature DevSecOps is inherently suited to the ‘as a service’ delivery model. Like DevOps, AppSec encompasses many tools, processes and policies – all of which require subject matter expertise, as well as time and resources, to select, deploy and maintain them within DevOps pipelines and drive DevSecOps. So, the Security and Development staff who work to implement and manage DevSecOps would benefit greatly if it were centrally defined and managed by a specialist team and delivered ‘as a service’ in collaboration with the team managing DaaS.

Beyond the resources and costs savings achieved (similar to DaaS), standardizing the AppSec program through a DevSecOps as a Service offering would ensure that the security policy is applied uniformly across all DevOps processes. This will allow companies to consistently produce more secure and better-quality applications and consistently support application security compliance requirements. It would also provide the foundation for acquiring a holistic and homogeneous enterprise-wide view of AppSec that is critical for assessing and managing application – and indeed business – risk across the organization.

Turning DevSecOps as a Service into Reality with ZeroNorth

The ZeroNorth DevSecOps platform turns DevOps as a Service into DevSecOps as a Service. ZeroNorth can function as a central management platform for DevSecOps through which the Security staff can centrally manage all the organization’s AppSec tools of choice (SCA, SAST, DAST, network and container scanners etc.) and embed them within DevOps pipelines, as a service to development teams. The tools can be scheduled to scan application code for vulnerabilities at the relevant stages in the SDLC, based on pre-defined policies. All this is transparent to the developers yet works seamlessly with their specific DevOps pipelines and processes.

ZeroNorth also ingests, aggregates, normalizes and compresses the vulnerability findings generated by the tools to streamline the data and surface critical vulnerabilities that will actually create risk in production. Through the platform, the security team can then create detailed remediation tickets for those vulnerabilities within the development team’s defect tracking system, thus providing a closed loop remediation process to developers. With ZeroNorth, developers no longer need to spend valuable time trying to triage a problem and figure out if it’s a priority to fix. All this is done for them, behind the scenes, as a service. All developers need to do is fix the critical vulnerabilities assigned to them while they are still working with the code, when its far easier (and cheaper) and less frustrating to do so.

Beyond the automation and orchestration of AppSec tools within DevOps pipelines, the ZeroNorth DevSecOps platform can generate an accurate and comprehensive view of application security across the organization – at the enterprise level and down to the individual DevOps pipelines that are taking advantage of the service. This in turn allows the leadership team, business unit leaders and product owners to make informed decisions – and enforce governance controls – related to the security, risk and compliance of applications that run the business, making DevSecOps a key business process.

DevSecOps as a Service Supports the White House in Fighting Cybercrime.

The recent White House Executive Order on cybersecurity highlights the software supply chain, especially open source code, as a key security risk vector and thus a priority to address. Therefore, the Executive Order is now requiring vendors to create a bill of materials (BoM) for applications used by the Federal government, including the open source code used within these applications.

Utilizing automation, the DevSecOps as a Service team would be able to generate such a BoM, and through ZeroNorth they can report on the security of all application components – whether they have been scanned, what vulnerabilities have been found – and track remediation progress. Without a clear picture of application components and their security status, identifying the source of a problem – especially a security vulnerability – becomes a huge challenge with significant business and security ramifications.

And if, for example, it was found that a specific open source library (or indeed any application component) had not been scanned the DevSecOps as a Service team can simply and quickly create a policy in ZeroNorth to find all occurrences of the that code and scan it automatically – all behind the scenes and transparent to developers.

Organizations today are struggling with the sheer volume of security tools – which ones are right for their specific security and business needs, how to manage them all, and how to make them all work together. Providing a central service that delivers the tools and manages them, especially tools as complex as DevOps and AppSec tools, will significantly simply the IT landscape and bring clarity that is sorely missing. Utilizing ZeroNorth to deliver DevSecOps as a Service will help organizations deliver more secure applications, faster than ever before.

*** This is a Security Bloggers Network syndicated blog from ZeroNorth authored by Joanne Godfrey. Read the original post at: https://www.zeronorth.io/blog/when-devops-as-a-service-meets-security/