Your DevSecOps Toolchain: 6 Steps to Integrate Security Into DevOps

A DevOps toolchain includes open-source and commercial tools to aid in the delivery, development, and management of applications through the software delivery process using DevOps practices.

DevSecOps builds on top of your existing toolchain. If your organization is fast-forwarding straight to DevSecOps, think of it as a few more steps to securing your toolchain. 

Moving to DevSecOps: The Key Challenges

Moving to DevSecOps is becoming critical across industry and government to defend against new and emerging attack vectors. However, complexities, nuances, and challenges remain. Gartner’s “Integrating Security Into the DevSecOps Toolchain” report highlights some of the challenges enterprises face as they move to DevOps:

• DevOps adoption is increasing as an alternative to traditional waterfall and agile development methodologies, but security and compliance typically remain afterthoughts.
• DevOps practices encourage automation to achieve scale, but security has traditionally been manual, process-heavy and gate-driven — the antithesis of automation, transparency and speed.
• Most developers have no knowledge of secure coding, including those versed in agile and DevOps.
• Traditional application security testing approaches weren’t designed for speed and transparency. Users now demand new features and updates to all their applications, not just the ones they download from their mobile device’s app store.
• For some applications in specific industries, new versions need to be government re-certified after every production update, making rapid change an issue. Gartner cites the example of pharmaceutical manufacturers may need to have the FDA re-certify their production environment after certain kinds of software updates.

DevSecOps Toolchain Transformation

Here are some actions you can take to upgrade your DevOps toolchain into a DevSecOps toolchain:

1. Learn From Others in the DevOps and DevSecOps Communities

One of the great joys of the DevOps and DevSecOps communities is the fact that practitioners will share their knowledge and experience with open source and commercial DevOps and DevSecOps tools. Look to the DevOps community to help close your critical knowledge gaps.

Sites such as Opensource.com and DevOps.com cover a range of toolchain topics throughout the year. DevOps-related conferences are even easier to attend during the pandemic. All Day DevOps is an all-virtual conference that draws in a range of practitioners with coverage over many of the pressing toolchain challenges teams are facing right now. Local DevOps and DevSecOps meetups are another useful learning resource.

2. Start With Your Container Security

The first step to building out the security of your DevOps toolchain starts with your container security. Here are two foundational elements of any DevSecOps container security strategy:

• Software bill of materials (SBOM) generator that generates a comprehensive bill of materials so you can track dependencies in your project or discover hidden files in somebody else’s project
• Vulnerability scanner to generate a list of known vulnerabilities quickly that exist within a container image or project directory

There’s a natural split in container security shaping up in the market right now. On one side, you want a container security solution that works in your build environment. A security solution that you can run via automation when you create a build. Look for a container security solution that’s application programming interface (API) friendly with a vendor or open-source software (OSS) project that has a solid track record with API management.

3. Institute Continuous Compliance

DevSecOps is a platform for continuous compliance to protect your software supply chains against vulnerable packages and vulnerable configurations. While you may have made some initial moves to dependency scanning, it will not help you (or your compliance) if your infrastructure policies leave your AWS S3 buckets wide open.

Increasingly, container image scanning tools are doing double duty as compliance scanning to check for configuration issues during the development cycle before the non-compliant container enters production. Whether your team works on commercial or federal government projects, there are infrastructure security controls to follow, such as CIS Benchmarks or Secure Technical Implementation Guides (STIGs).

When choosing an image scanning tool, look for one that offers security control profiles that compare profiles versus the controls in the compliance matrices your organization needs to comply with.

4. Double Down on Automation

While you may have already been experimenting with automation during your DevOps phase, it only becomes more integral once you throw the switch in by going DevSecOps. Go into your DevOps to DevSecOps transformation with an automation strategy that focuses on automating common developer and sysadmin tasks.

Here are some common automation steps to take:

• Automate orchestration for containers and virtualized environments. 
• Enhance application inventory by generating a software bill of materials (SBOM) automatically
• Automate cloud security features and controls that make sense
• Automate security tests that you can run in conjunction with automated regression testing tasks. 

Taking these common automation steps will pay off in time savings, improved agility, and security improvements.

5. Improve Your Monitoring and Analytics

Building out a DevSecOps toolchain takes your monitoring and analytics options to a new level. Consider the fact that you should already collect and publish data from your toolchain and deliver reports to your project managers, developers, QA testers, and stakeholders outside your team. Commonly, DevOps reporting is still a work in progress for organizations. Use the introduction of new security tools into your toolchain as a chance to offer more granular and real-time security reporting into all parts of your DevSecOps toolchain.

6. Implement Accessibility Assurance

Depending on your organization’s definition of compliance, the option is there to add accessibility compliance or Section 508 to your DevSecOps toolchain. Accessibility compliance means your commercial application is universally inclusive of all users. Section 508 compliance is a requirement for all federal agency applications before they launch. Remediating accessibility issues in production can be costly for businesses. Federal agencies want to resolve their compliance issues in development to pass their 508 compliance check. Both scenarios benefit from continuous feedback on application changes you meet in production.

While adding tools such as Pa11y and Google Lighthouse to your DevSecOps toolchain will not make your developers accessibility experts by any means but they will alert them if the application they’re building isn’t in compliance. While your accessibility experts are working on accessibility policy and law concerns, your developers can enter tickets into your project tracking software to alert them to issues that require further investigation and remediation.

Final Thoughts

Whether you’re starting with DevOps toolchains, the ones you already have in place and that your teams are already familiar with, or making the leap, there are security options you can integrate into most stages of your build process. Take what steps you can to ensure that your developers and security team collaborate during the build-out of security tools. It’s also a good time to get any input from your auditors about the tools and processes for impartial analysis, this important step in your DevSecOps journey.

Lastly, don’t be afraid to iterate from the lessons you learn after turning on your additional security and compliance checks.