Industry talking to customers What's this? DevOps requires a fresh approach to security Published: June 13th, 2018 By: Glenn Weir Michael Ball is a nationally recognized CISO who writes widely on security issues.DevOps originated from the need/desire to break down the silos between development and quality control. The need to be more agile, to continuously produce and deliver code in a quick, iterative approach, while maintaining quality. The developers became accountable for the quality of code that went into production. When practiced properly, agile development is an efficient approach that allows for constant upgrades and feature releases, while maintaining code quality. However, security has still remained a tack-on afterthought.Enter DevSecOps With the ongoing drive to virtualization over the past couple of years (Infrastructure as a Service, Software as a Service, etc.), the industry has realized that security controls can be described and applied in code. It’s not a stretch then to assume that we could integrate that “security policy” code into our development practice.In the eBook CyberArk: 6 Principles for DevOps Security at Scale, we learn how to build security policy into the regular DevOps cycle. This book walks us through the following six guiding principles to ensure that security is baked into the Software Development Life Cycle (SDLC).Guiding Principle 1: Instantiate Security Policy as Code CyberArk Conjur uses a human-readable markup language that enables controlled and repeatable security policy adherence as your infrastructure scales – “security policy as code.” Also, gone are the days of hard coding credentials in a script, as Conjur provides for variables to be piped in during execution.Guiding Principle 2: Instill Separation of Duties Separation or segregation of duties is essentially a control that enforces proper change management and quality control to reduce the potential for human-error or fraud. The person or team that writes the code cannot haphazardly promote it into production. Most government or large enterprise policy mandates this as a practice today.Rather than have security get in the way of rapid development, the interaction is defined and automated in a security policy. Developers create the security policy that declares what privileges their application or service requires. Security staff then review and approve the security policy, and operators make sure the application’s deployment goes as expected.Guiding Principle 3: Focus on Flow and Velocity Advanced workflow scheduling and management tools allow teams to visualize workflows, identify bottlenecks and eliminate inefficiencies. By incorporating security into these analyses, DevOps teams can detect and address security issues early on.Guiding Principle 4: Treat Security as a First-Class Citizen By instituting strong security systems and following good security hygiene practices throughout the application lifecycle, development teams can reduce vulnerabilities, improve their security posture and mitigate risks.Guiding Principle 5: Automate DevOps Security Effective DevOps teams use automation to accelerate application lifecycle management and remove latency. They should take a similar approach to security, leveraging automation to improve their security posture while avoiding barriers to application development and delivery.CyberArk Conjur has teamed up with automation technologies like Ansible, Puppet, and Jenkins to ensure security policy is native to the automation process.Guiding Principle 6: Embrace New Technologies Traditional approaches for security (designed to protect legacy IT environments) often aren’t well suited for today’s dynamic environments. Forward-looking security teams embrace new security technologies and models while leveraging the policies and lessons learned from more traditional environments.