We live in a fast-paced world. Consumers, now more than ever, want innovation to happen every day, and companies must keep up with their consumer’s needs. In the early 2010s, to drive innovation, a new way of deploying software was needed. A way that bridged the huge gap that existed between development and operations. A way that had the ability to unite two opposing views: on one side product and development, eager to place their work in front of consumers; and on the other side, operations thriving from keeping systems stable and avoiding change at all costs.
From said need, DevOps was born and for a while it was good. Product was flowing, automation was happening, and the systems were stable. Everybody was happy, everybody except security. You see, around the same time, when more software was flowing through the delivery pipelines, security breaches started to happen more frequently. It became obvious that traditional security verification like pen testing, which is time and resource-consuming, no longer worked in this world of hundreds of changes a day.
However necessary, continuous security is as much a necessity as it is a mindset. Companies and managers need to get into that mindset before they can see the benefits of continuous security. For me personally, it came down like an avalanche when the systems I worked and maintained got hacked by a malicious agent, and all our data was made available on the internet. It taught me a valuable lesson and completely changed my view regarding security.
What is continuous security?
Continuous security is the inclusion of security concerns and security testing as part of the continuous delivery pipeline. Most modern deployment pipelines already include some sort of automation that tests (unit, integration, end to end testing), packages (compilation, bundling), deploys to infrastructure (Kubernetes, bare metal), and validates software after it’s deployed (monitoring, alerting). Applying the same DevOps principles of automation, security is integrated as part of de deployment pipelines in the shape of automated testing and deployment of monitoring services, typically using existing threat models as the baseline to define what to test and what to monitor.
Why is it important?
Modern systems are complex. There are many moving parts in every application, app, web, IoT, dozens of microservices, and countless infrastructure layers all of them in a permanent state of change. With many factors in place, the security risks are greater than ever, systems are exposed to an ever-increasing number of vulnerabilities that can lead to data breaches and consequently loss of revenue and market trust. In the same way, it was important to introduce continuous integration and continuous delivery to speed up innovation, continuous security is crucial to ensure that innovation doesn’t come at the cost of losing everything.
How does it work?
Continuous security should be tightly coupled with the 10 fundamental security principles:
- Assign the least privilege possible – Limit privileges to the minimum for the context. Broad privileges allow for malicious or accidental access to protected resources. As part of the security pipelines, we should validate that each resource only has access to the bare minimum needed to operate.
- Separate responsibilities – Separate and compartmentalize responsibilities and privileges to limit the impact of successful attacks, and make attacks less attractive by testing not only that an intruder cannot get in but also what can be achieved once it’s in.
- Trust cautiously – Assume unknown entities are untrusted, have a clear process to establish trust, and validate that trust during your deployment pipeline.
- Simplest solutions possible – Actively design for simplicity, avoid complex failure models, implicit behavior, and unnecessary features. Security requires an understanding of the design and complexity is rarely understood. Simpler solutions require less testing.
- Audit sensitive events – Record all security significant events in a tamper-resistant store, provide a monitoring point and ensure that your logging mechanisms are tested as part of your deployment pipeline.
- Fail securely & use secure defaults – Force changes to security-sensitive parameters. Think through failures, to be secure but recoverable. Default passwords, ports & rules are “open doors”. Failure and restart states often default to “insecure”. Make sure that changing defaults is automated and validated by your pipelines.
- Never rely upon obscurity – Assume attackers have perfect knowledge of your system, this forces secure system design. Hiding things is difficult. Someone is going to find them, accidentally if not on purpose. Using known standards opens a broader range of security audit automation.
- Implement defense in depth – Don’t rely on a single point of security, secure every level, stop failures at one level propagating. Systems do get attacked, breaches do happen, and mistakes are made. Every layer should have its own security automation based on its own threat model.
- Never invent security technology – Don’t create your own security technology, always use a proven component. Security technology is difficult to create and avoiding vulnerabilities is difficult which makes it harder to test.
- Find the weakest link – Find the weakest link in the security chain and strengthen it. Update your threat models and security automation when doing so.
In conclusion, continuous security works by taking the fundamental principles of “security by design” and applying them to your continuous integration/continuous delivery pipelines via test automation, alerting, and monitoring. It’s a long and sometimes hard path but one that reaps many benefits.
What are the benefits?
There are many benefits to having continuous security integrated into your pipelines. Amongst them reducing the risk of a data breach by having a continuous validation of your threat models; lowering the cost and speed of delivery by reducing the amount of resource-intensive manual testing, like pen testing; Increased scalability, availability, and resilience introduced by all the extra monitoring and alerting added to all the system components and by the immutable logs.
In a world where customers demand constant innovation, the introduction of DevOps practices created the perfect environment for software development to grow. It allowed companies to deliver more, better-tested software. Similar techniques can be used to make our systems more secure. It’s continuous security. It’s DevSecOps.
Article written by Cláudio Pinto, Engineering Manager at Skyscanner