Did you know that 60% of breaches involved vulnerabilities for which a patch was available but not applied? This is where DevSecOps comes in. DevSecOps is a philosophy that integrates security practices within the DevOps process. This blog will explore the concept of DevSecOps, its evolution, and its importance in today’s tech landscape.
DevSecOps emerged from the need to address security issues in a fast-paced, continuous integration and delivery environment. It started as a set of best practices and has evolved into a necessary strategy for organizations that want to stay ahead in the current digital landscape. Over time, DevSecOps has become more sophisticated, with automated tools and advanced strategies.
The problem DevSecOps addresses is the gap between fast development and secure development. In today’s world, where cyber threats are increasingly sophisticated, this problem is more relevant than ever.
DevSecOps is about integrating security into every part of the development process. It involves practices like “security as code”, “infrastructure as code”, and continuous monitoring. A key aspect of this is the scanning of Docker images and performing tests for vulnerabilities.
Docker images are scanned as part of the CI/CD pipeline to detect vulnerabilities early in the development process. This is done using tools like Clair, Anchore, Snyk or Docker Bench. These tools can scan Docker images and identify known vulnerabilities in the application and its dependencies.
In addition to scanning Docker images, automated security tests are performed.These tests can include static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing(IAST). These tests help to identify security issues in the code, in running applications, and in interactions with applications.
By integrating these practices into the DevOps pipeline, DevSecOps ensures that security is considered at every stage of development, rather than being an
afterthought.
Companies like Netflix and Amazon have successfully implemented DevSecOps.They’ve seen benefits like improved security posture, faster time to market, and better compliance.
Now that I’ve shared what DevSecOps is and some of its benefits, I’d like to demonstrate how to easily add security scans to your CI/CD pipelines using a security scan tool called Snyk.
version: 2.1
orbs:
snyk: snyk/snyk@0.0.8
jobs:
build_test:
docker:
- image: circleci/python:3.7.4
steps:
- checkout
- run:
name: Install Python Dependencies
command: |
echo 'export PATH=~$PATH:~/.local/bin' >> $BASH_ENV && source $BASH_ENV
pip install --user -r requirements.txt
- snyk/scan
- run:
name: Run Unit Tests
command: |
pytest
build_push_image:
docker:
- im
The job build-test is where we execute some DevSecOps action within the pipeline. - snyk/scan calls the scan command from the Snyk orb. It will readthe requirements.txt file, and then compare that list of software against the Snyk vulnerability databases to look for any matches. If there are any matches, Snyk willflag it and fail this segment of the pipeline. The goal here is to alert teams to security issues as early as possible so that they can be quickly mitigated and theCI/CD process can securely continue.
Despite its benefits, implementing DevSecOps is not without challenges. It requires a cultural shift, investment in new tools, and training.
The future of DevSecOps looks promising, with advancements in automation andAI. These trends could lead to even more efficient and secure development practices.
In conclusion, DevSecOps represents a significant shift in the way organizations approach security in the development process. It’s not just a set of practices, but a culture change.
Tools such as image scanners and registries can provide governance to projects and detect vulnerabilities. However, reducing risk from misconfigurations (such as when your containers run with root privileges) and runtime incidents requires processes and best practices that implement DevSecOps across the full application life cycle.