Tightening Security in the Production Process by Shifting Left
Check out how developer teams can more effectively implement devsecops models.
While more enterprises are noticing the importance of putting security to the early stage of the development cycle, how can developer teams better adopt these models with the already complex cloud-native management platforms such as Kubernetes? Deepak Goel, CTO at D2iQ, explores the logic behind DevSecOps and how SMBs can better integrate security into every part of their production process.
Securing an environment traditionally means putting security measures such as firewalls in place. However, attacks such as the SolarWinds breach in 2020 and the increasing threats on the software supply chain showed that attackers have become more thoughtful and are attacking earlier in the software development lifecycle.
The growing need for a secure software development lifecycle has prompted a discussion around the concept of “shift left.” Security has been at the right end of the development cycle for decades, and software development has been mostly linearly planned. As cloud-native applications evolve and users demand real-time and 24/7 software services, this linear approach of scheduling security and testing at the end of the development cycle can create significant development, operational, and cost implications.
As a result, more than securing the periphery is required. Organizations have to take a wider view and focus on security from the beginning of the development lifecycle, starting when the first line of code is written and running throughout the entire process to when applications are running in production.
Security should be considered an infrastructure element, just like networking and storage. However, unlike networking and storage, where a lapse means downtime of applications and attendant losses, a breach in security can result in the loss of sensitive information that can be much more costly and, in many cases, irretrievable.
Take a Holistic View of Security
Enterprise security covers many aspects, including securing corporate assets, equipment, tools, documents, and other internal information. As organizations undergo digital transformation, they rely on software to deliver the agility, performance, and scalability benefits they seek. But what does it take to securely run a software application in a production environment?
If an enterprise is looking to improve its security posture, it needs to invest heavily in its processes, people, and products. Improvements in just one of these areas might not improve the overall security posture, and shortcomings can lead to an overall software security risk, which is why these investments should go hand in hand.
For example, if security teams cannot communicate effectively and collaborate with development and operations teams, it will only be a matter of time before attackers can discover security vulnerabilities.
See More: What 2023 Has in Store for Cybersecurity, Java and DevOps
Business Agility Through Kubernetes
Modern applications are based on cloud-native technology and microservice architecture. Containers have become the default way to package microservices because they provide consistency, portability, and repeatability. As more organizations move to cloud-native applications, Kubernetes has become the de facto container orchestrator, making deploying, discovering, and scaling these microservices easy.
Kubernetes and containers provide much-needed business agility in shipping new code to production. However, it makes it more challenging to secure environments. Kubernetes uses familiar concepts such as authZ & authN, certificate, and encryption. At the same time, it introduces new concepts such as deployment, pods, ingress, namespaces, role-based access control, service accounts, secrets, network policy, resource limits, and quota, which are steep learning curves not only for developers and operation teams but also for security teams.
See More: How to Get Started With Kubernetes the Right Way
The Pros and Cons of DevSecOps
Kubernetes breaks down the boundaries between DevOps and security teams and has encouraged the concept of DevSecOps, further driving the trend of security shift left. DevSecOps can optimize the DevOps practice and reduce software development cycles to weeks or even days, thus meeting the diverse needs of enterprises and users.
Many organizations are discovering the challenges of adopting DevSecOps when trying to secure their Kubernetes environment in production. DevSecOps and the concept of shift left require higher security knowledge for developers, who also need to manage design, development, architecture, infrastructure, and testing. The additional security duties can put more pressure on DevOps teams already under pressure in dealing with Kubernetes issues.
A Realistic Approach to Adopting DevSecOps and Shift-Left Practices
Requiring developers also to be security experts who encountered the above challenges is, in most instances, an unrealistic expectation. An organization’s best option is to adopt tools and technologies that are secure by default and have security experts as part of the platform team who can understand the security structure and build guardrails and apply security best practices to that platform.
In addition, organizations can start focusing on the Software Bill of Materials (SBOM). Like a detailed menu of materials, SBOM lists open-source and third-party components in the code base, helping teams to understand better the relationship between individual projects and specific code in the development cycle.
SBOM also contains component license information, which can help companies understand license and regulation information, making it easier to automate compliance checks. Detailed software documentation also improves the efficiency of code reviews by developers and security teams, reducing the burden on developers.
Security Mastery Step by Step
Security doesn’t have to be all or nothing. It’s often a journey that slowly increases an organization’s security posture as its platform team gains the confidence to run a secure production environment. The journey can start with securing access and network traffic from outside a cluster (north-south traffic), then securing access and network traffic from inside the cluster (east-west traffic), followed by applying security best practices.
The team can then focus on achieving security compliance, building a zero-trust architecture, and improving supply chain security. Each phase will require training, including learning how to deploy and manage Kubernetes. Success will depend largely on how quickly a team can achieve these capabilities. However, breaking the process down and proceeding in this way will enable organizations to move steadily toward achieving better application security.
Why do you think organizations should implement security in each step of the manufacturing process? Share your thoughts with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON DEVSECOPS
