1. Adopt a DevSecOps Model
To achieve security in DevOps pipelines, it is essential to adopt a full DevSecOps model. Cross-functional collaboration is critical to integrating security across the DevOps lifecycle. This requires a culture in which everyone is responsible for security.
In a DevSecOps environment, security teams help educate developers about secure coding practices, while developers educate security teams in coding practices and details of the technology stack. Security teams should be able to write code and interact with APIs, and developers should be able to automate security tasks. This helps break down the traditional divide between developers and security professionals.
2. Leverage Penetration Testing and Automated Security Testing
Penetration testing is an authorized attempt to exploit vulnerabilities in an organization's infrastructure, to determine if malicious activity is possible and provide steps for preventing it.
As organizations transition to a DevSecOps model, they should run penetration tests of their development environments to identify the main security gaps. Because manual penetration tests can slow down the development process, they are mainly valuable at early stages of the DevSecOps transition.
To fully integrate security into the development process, automated security testing is required to detect defects, vulnerabilities, data breaches and vulnerabilities as they are introduced into development pipelines. These tests should be run as often as possible, providing developers with immediate feedback about security flaws and remediation instructions.
3. Establish Security Policies
Security policies and governance are critical to consistently managing security risks in enterprise environments. You should establish a set of clear and understandable policies and procedures for access control, configuration management, code reviews, vulnerability testing, and security tools. Developers, operations, and security teams should all align behind these policies and ensure they are implemented across the SDLC.
4. Automate Everything
Many security processes can be automated. This is important to scale and accelerate security operations to keep pace with DevOps processes.
Configuration management, code analysis, vulnerability discovery and remediation, and privileged access management all require automation. Otherwise, it is difficult to identify security flaws early without slowing down the pipeline. Automation also saves time, freeing developers and security teams to focus on more important tasks.
5. Use Vulnerability Management
Deploy a system that can scan, evaluate, and fix vulnerabilities throughout the SDLC and ensure that code is secure prior to deployment. Vulnerabilities don’t end there—in testing, staging, and production environments, operations and security teams must continue to run tests to identify vulnerabilities.
Because resources are often immutable (they do not change once running in the environment), vulnerabilities are passed back to development teams, who create a new version of the code, container image, or script and re-deploy it to the environment.
6. Privileged Access Management
Monitoring and controlling access is critical to the security of the DevOps stack itself. Privileged access should be strictly controlled to reduce the potential for supply chain attacks.
For example, you should never use “super user” accounts and be careful to restrict developer and tester access to the specific areas they work on. Provide “just in time” access to mission critical systems, then revoke it. Ensure that your privileged credentials are securely stored, and monitor privileged sessions to check for suspicious activity.