Protecting our customers Our security research team has built and deployed a rule to protect…
Last week, we released a model on DevOps and the transformation that happens in these four key areas:
- Treating our systems and infrastructure as code, including how we version it to how we build it.
- Changing our engineering culture to orient around the total delivery and usage experience.
- Creating feedback loops in your runtime environment that informs all parts of your engineering team.
- Favoring faster delivery cadence and a reduction in change volume.
Lets explore what this means when we add security to the mix—we will be using the word rugged as a way to introduce security into DevOps. This is not a way to create a new type of DevOps, but describe the functional ways we change our approach as we grow. It’s still DevOps, we are just applying a rugged filter to help callout specifics to new practices.
For this article, we are focusing solely on Infrastructure as Code.
Infrastructure as Code
Previously, we noted that when thinking of Infrastructure as Code, there are specific areas that we need to consider:
- Version controlled artifacts that describe the system and all its components.
- Configuration management of the system in running state.
- Testing is a first order priority with Test-Driven Development (TDD) and integration testing as common practices.
- Facilitating distributed computing and scaling.
- Understanding your Software Supply Chain.
A Rugged DevOps Approach
Each of the above areas change when adding in a rugged approach. Let’s explore them one by one.
Version Controlled Artifacts
This brings in core functions of audibility and change control. Gene Kim wrote an exceptional book on Security and Operations back in 2004—knowing what you have and being able to control change flow is critical to security. With operations moving into version control (just like development), the security team now has a foothold and view into the entire system. This encourages change control (e.g. alerting off changes to the auth system) and audibility that was never available before.
Most configuration management has built-in functionality to run in audit mode. This allows you to verify your system hasn’t drifted out of compliance on a daily basis. When auditing a configuration management tool like Chef, there is an increased desire to affirm that systems are hardened to CIS standards. Again, this is a huge advantage because you can get daily reports of runtime drift out of compliance or even more importantly new exposure and vulnerabilities.
We see that testing changes when we add Rugged to DevOps. Moving your security testing into the pipeline to happen closer to code commit is becoming the de facto standard. Using tooling like Gauntlt or Mittn, you are able to specify the security standards you expect all software to meet. For example, “our website should not fail a scan for XSS” or “when not logged in you should not be able access certain resources.”
In the modern world, we often find ourselves running our systems on third-party providers like AWS, Azure, or Rackspace. Running in these cloud providers changes how we think about security incidents and lateral movement.
Attackers are less likely to gain footholds by pivoting across your systems through network segments, but instead will attack your provider configuration and seek to open holes there. Taking an approach to monitor your system for changes at the provider level is crucial. Evident.io and ThreatStack are two companies helping to this end.
Software Supply Chain
Unfortunately the software we build inherits vulnerabilities from all the code we didn’t write. Knowing what code we are shipping through a Bill Of Materials (Software BOM) is an important engineering task. Additionally having automated ways of determining vulnerabilities in our inherited code using a solution like Sonatype can be immensely helpful.
We have seen that the modern approach to Infrastructure as Code brings new challenges and new opportunity. As we overlay a Rugged approach, there are several ways security can provide new value.
Thanks for reading this article. If you enjoyed it please let us know by clicking that little heart below.
At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Our NGWAF was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.