How to Navigate the Intersection of DevOps and Security

“In a DevOps culture all participants in the

software delivery lifecycle (not just development and operations) align around a shared goal: the rapid delivery of stable, high-quality software from concept to customer.”

—Brian Dawson, CloudBees1

| synopsys.com | 1

A brief history of Dev vs. OpsTraditionally, the software development process is split into two distinct phases and associated teams. The development team writes and compiles code, then releases it to the IT operations team. The operations team makes sure that the code runs and remains stable in production environments. A third group, IT security, tackles the job of making sure that no security issues exist before the software is deployed. The security team typically works closely with the operations team.

Each of these teams has different responsibilities, often with little communication between them. As development works to meet customer demands and adapt to the competitive landscape by bringing new products and features to market quickly, operations provides a stable and secure production environment, where it can run and deploy applications safely, providing reliable service for customers.

The functional responsibilities of development and operations often conflict with each other, creating misalignments between the two teams and leading to inefficiencies in pushing out new software: longer release cycles, reduced-quality software, internal mistrust, botched releases, and frustrated customers. Enter DevOps.

What is DevOps?DevOps is essentially an ideology. It combines cultural philosophies, technical practices, and tools to help development and IT operations teams work collaboratively to first build, then test, and finally release software faster and more reliably. Ultimately, the goal of DevOps is to enable organizations to serve their customers more effectively and increase their competitive edge.

Some organizations merge development and operations into one DevOps team, staffed with engineers who can work across the application life cycle, building out development, test, deployment, and operations skills. Quality assurance and security teams may also be integrated into the process and function throughout the application life cycle.

DevOps advocates automating manual processes and using tools that help teams improve and operate applications faster and more reliably. The effect is an organization with increased trust between groups, leading to faster software releases and the ability to solve critical issues quickly and manage unplanned work effectively.

“In the DevOps ideal, developers receive fast, constant feedback on their work, which enables them to quickly and independently implement, integrate, and validate their code, and have the code deployed into the production environment.”

—The DevOps Handbook2

| synopsys.com | 2

DevOps principles: The 3 WaysThe Three Ways3 are the principles all DevOps patterns are derived from. They describe the philosophies framing the processes, procedures, and practices of DevOps. Each way contributes to the entire concept of DevOps and includes prescriptive steps to help teams achieve DevOps in their organization.

The First Way

The First Way sends a rapid flow of work from development to operations, and on to delivery to the customer. To succeed, teams need to focus on four tasks:

• Make work visible. That is, find a way to visualize the work so you can see the problems and resolve them.

• Reduce both the batch sizes of the work (the requirements, code, and tests in each work item) and work intervals.

• Build quality into the process by preventing defects from being passed downstream.

• Keep optimizing for global goals.

The Second Way

The Second Way generates a quick and constant feedback loop from right (operations) to left (development) at all stages. Teams boost feedback to avoid duplicating problems and enable more rapid detection and therefore recovery, gaining the ability to learn and improve.

The Third Way

The Third Way creates a collaborative, high-trust work environment that supports a disciplined approach to taking risks and experimenting, thus facilitating organizational learning from both achievements and failures.

The last step to achieving DevOps is integrating security, change management, and compliance controls into the day-to-day jobs of development and operations teams. Doing so makes security a part of every role in the software development life cycle, instead of limiting that responsibility to the security team. Building automatic security controls into the DevOps processes and tools that development and operations teams already use can go a long way toward creating the fast, reciprocal flow of feedback necessary for a successful DevOps implementation.

Dev Ops Dev Ops Dev Ops

1. Flow 2. Feedback loops 3. Experimentation and learning

| synopsys.com | 3

Incorporating security earlier in the process creates shorter feedback loops and decreases complexity, allowing engineers to fix security or compliance issues faster and more easily.

When it came to information security and compliance, we found that blockages at the end of the project were much more expensive than at the beginning—and InfoSec blockages were among the worst.” —Justin Arbuckle, former chief architect at GE Capital 5

So what is DevSecOps?Dr. Tapabrata Pal, director and platform engineering technical fellow at Capital One, described the process of integrating security into all stages of the software development life cycle (SDLC) as DevOpsSec. Today we call it DevSecOps or secure DevOps. The practice of DevSecOps requires cultural and practical changes, including these:

Integrating security into defect tracking and postmortems

Track security issues in the same work tracking systems that your development and operations teams already use to ensure security visibility and prioritization. The most common tool is Jira, Atlassian’s issue and project tracking software. Then do a review after every security issue so you can prevent your team from repeating the same problems.

Integrating security controls into shared source code repositories and services

All teams should share a source code repository containing security-approved libraries that fulfill specific security objectives. This repository can also contain packages and builds approved for use in development (such as secure versions of OpenSSL with correct configurations), in addition to toolchains, the deployment pipeline, and standards. Teams typically use source code management tools, such as Git (GitHub, GitLab), Bitbucket, and Mercurial, as well as binary repositories, such as Artifactory and Nexus.

“One of the top objections to implementing DevOps principles and patterns has been, ‘Information

security and compliance won’t let us.’ And yet, DevOps may be one of the best ways to

better integrate information security into the daily work of everyone in the

technology value stream.” —The DevOps Handbook4

“

| synopsys.com | 4

Integrating security into your deployment pipeline

Automate as many security tests as possible, as much as possible, to run alongside other automated tests in your deployment pipeline. Automate these tests at every major commit of code by development or operations, even at very early stages. The goal is to provide short feedback loops so development and operations teams are notified of any potential security issues in code commits. This allows teams to detect and correct security problems quickly as a part of daily work instead of waiting until the end of the SDLC, when fixes are often complex, time-consuming, and expensive. The easiest way to achieve this step is using continuous integration tools, such as Jenkins, Travis, and TeamCity, and continuous delivery/deployment tools, including Jenkins, XebiaLabs, and GoCD.

Ensuring the security of the application

As you automate your tests, generate tests to run continuously in your deployment pipeline, instead of performing unit or functional tests manually. This step is critical for the QA team, who will want to include static and dynamic analysis (SAST and DAST), software composition analysis (SCA), interactive application security testing (IAST), container scanning, and more. Many of these testing processes can be part of a continuous integration (CI) or continuous delivery/deployment (CD) pipeline.

Ensuring the security of the software supply chain

Up to 90% of modern applications are constructed from open source components, making it a fundamental part of the software supply chain today. When using open source components and libraries, DevOps teams must consider that applications inherit both the functionality of open source code and any security vulnerabilities it contains. Detecting known vulnerabilities in open source helps developers choose which components and versions to use. Integrating vulnerability checking during the CI process or within the binary repository or IDE helps ensure the security of the software supply chain.

Only about half of CI/CD workflow implementations include any application security testing elements.”—451 Research 6

“

| synopsys.com | 5

What tools do I need to implement DevSecOps?Covering custom code

Static application security testing

Static application security testing (SAST) is a type of security testing that analyzes application source code, including byte code and binaries, for coding and design conditions that may indicate security vulnerabilities. SAST solutions analyze applications at the source code level—without executing code. SAST finds critical defects and security weaknesses in code so they can be fixed before release. It’s essential to integrate an automated SAST solution into the SDLC to continuously identify quality defects and potential security vulnerabilities as custom code is written. Superior tools

provide actionable and accurate remediation guidance to enable developers to address security problems early in the SDLC.

When selecting a static analysis tool, select one that provides deep, full path coverage, supports thousands of developers, and analyzes large projects exceeding 100 million lines of code. Look for a SAST tool that integrates with your key development tools and CI/CD systems to enable application security testing at DevOps speed, helping your organization get to market faster with reduced cost and risk.

Dynamic application security testing

Dynamic application security testing (DAST), sometimes called black box testing, is performed on an application while it is running. Most DAST tools test only exposed HTTP and HTML interfaces for web-enabled applications.

While DAST tools may be easier to run and use than SAST tools, they cannot pinpoint specific weaknesses in application code, leaving the task of finding and fixing the vulnerable code to the developer. Unlike SAST, DAST can be used only on a running application, limiting its use to later phases in the SDLC: testing, staging, and production.

Interactive application security testing

Interactive application security testing (IAST) analyzes running application behavior during the testing phase, working in the background during manual or automated functional or security tests. Unlike DAST, IAST solutions use code instrumentation to observe application behavior and dataflow, identifying vulnerabilities and providing developers with the information needed to pinpoint, prioritize, and remediate them. These capabilities make IAST a good solution for CI/CD environments, where speed and automation are a priority.

Covering third-party and open source code

Software composition analysis

Like SAST, software composition analysis (SCA) statically analyzes source code or binaries. SCA tools identify open source components in applications and any associated security vulnerabilities that have been reported against them. More often than not, SAST tools alone cannot identify these open source vulnerabilities, so it is important to incorporate SCA for a secure DevOps pipeline.

| synopsys.com | 6

Since open source can be pulled into code in many ways, powerful SCA solutions use multiple scanning methodologies to identify all the components (full or partial) and dependencies being called. Some tools provide remediation guidance for developers as well. Like SAST, SCA tools should integrate easily into your development toolkit, most commonly in a CI/CD system.

Container composition security

Container composition security gives your operations teams visibility into the open source components in use and any associated security vulnerabilities that exist in your container images—and those running in production. Select a solution that integrates directly into your container orchestration platforms so you can identify all images that contain disclosed open source vulnerabilities, flag container images that violate your security policies regarding open source, and perhaps most importantly, receive automated alerts when any newly discovered vulnerabilities may affect deployed container images in use in your cluster.

Automating and integrating

Continuous integration

Continuous integration (CI) essentially means that the development team merges changes into the main code branch as frequently as possible—sometimes multiple times per day. These merged changes are validated by creating a new build with the new code, then running automated tests against that build. These automated tools and tests help teams avoid the mess that results when developers wait until the day of release to merge changes into the release branch.

“While adoption of DevOps methodology and CI/CD technology is significant, not all teams within enterprise organizations are necessarily doing any of it. Of our survey respondents, 36% reported developer/administrator teams were focused on continuous integration. Another 35% of respondents stated teams focused on continuous delivery, and 35% also reported a DevOps focus, although DevOps was ranked lowest in most industries, including traditional retail, SaaS and healthcare.”

—451 Research7

| synopsys.com | 7

Continuous delivery

Continuous delivery (CD) allows teams to release new code changes to customers quickly and consistently. However, it also means that teams must have automated not only testing but also the release process. The benefits of continuous delivery are best realized when teams deploy to production in small batches, because it’s easier to troubleshoot when there are fewer changes to test and review.

Continuous deployment

Continuous deployment (also CD) takes continuous delivery even further, because each change that passes through all the stages and tests of the production pipeline is automatically released to customers, without intervention by a human. Continuous deployment speeds up the feedback loop with customers and allows developers to see their work in the live environment just minutes after they finish coding.

Training your team in the culture of DevSecOps

Quite simply, you can’t tell your development and operations teams that your organization is adopting DevOps and expect it to happen overnight. Creating alignment between members of your development, operations, and security teams is a process, and training is a key part of it.

High-profile breaches occur on a weekly (sometimes daily) basis, highlighting how important software security is, but your security and QA teams can’t resolve all security issues alone. Every employee in your development organization must take responsibility for security. The question is, how?

Security is a complicated topic, particularly software security. To be effective and engaging for your employees, software security training must deliver information relevant to their role or project. You don’t want the same type of security training for your developers as for QA engineers, architects, and so on.

According to the 2017 Verizon DBIR report, four in five companies never measure the success of their security training investments.8

| synopsys.com | 8

After your organization adopts and deploys security training tools, it’s essential to track whether your investment is providing a good return. When selecting an eLearning tool to help your employees get up to speed, look for one that includes gamification to motivate employees, modular courses that can be taken when time is available, hands-on exercises, peer-based discussions, training based on roles, and metrics on the impact of training. This will build your team’s security competency and help your organization achieve security compliance.

Bringing it all together for a successful DevSecOps cultureBalancing security and compliance with short delivery timelines isn’t easy. An effective way you can build protection into your platforms and pipelines is by automating as much as possible with industry-leading application security testing tools. Implement continuous delivery to secure your software delivery and enforce compliance policies, secure the production environment through your infrastructure, and build security into your DevOps feedback loops.

DevSecOps is a big undertaking, so start small. Empower your team by getting quick wins with simple changes in process, and then build on that momentum. Take advantage of the continuous integration, continuous delivery, and continuous deployment tools that your development and operations teams are already using. Integrate static application security testing early on to evaluate the proprietary code your team is writing. Get visibility into and control over your open source code using software composition analysis tools. Evaluate the security of your applications by testing their behavior using a range of tools, including dynamic application security testing, interactive application security testing, fuzzing, and pen testing. Finally, remember that education and cross-training go a long way toward helping your teams learn how to effectively build security into their DevOps process.

| synopsys.com | 9

1 Brian Dawson, What Is DevOps?, JAXenter, Oct. 20, 2016.

2 Gene Kim, Patrick Debois, John Willis, and Jez Humble, The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations, IT Revolution, 2016.

3 Gene Kim, Jez Humble, Patrick Debois, and John Willis, The Phoenix Project: A Novel About IT, DevOps, & Helping Your Business Win, IT Revolution, 2013.

4 Kim, Humble, et al., “The DevOps Handbook.”

5 Ibid.

6 451 Research, DevSecOps Realities and Opportunities, 2018.

7 Ibid.

8 Verizon, 2017 Data Breach Investigations Report, 2017.

References

Welcome to DevSecOps—we’re here to help you achieve it at every stage of your journey.

b

uild

code

deploy operate

test monitor

plan

relea

seDev Ops

©2020 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at http://www.synopsys.com/copyright.html . All other names mentioned herein are trademarks or registered trademarks of their respective owners.04/13/20.EB_HowtoNavigate_2020.

The Synopsys differenceSynopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recognized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development life cycle.

For more information go to www.synopsys.com/software .

Synopsys, Inc. 185 Berry Street, Suite 6500 San Francisco, CA 94107 USA

U.S. Sales: 800.873.8193 International Sales: +1 415.321.5237 Email: sig-info@synopsys.com

Explore how Synopsys can help you build security into your DevOps SDLC.

Learn more