How Secure is Your DevOps Infrastructure?

DevSecOps

Your business might already enjoy the benefits of a DevOps strategy – but has it evolved its approach to security?

Everyone knows that DevOps is about breaking down the silos between engineering and operations teams to shorten feedback loop and achieve continuous software delivery. With a DevOps mindset, one can expect benefits such as increased deployment speed, reduced complexity and a more stable operating environment.

However, security is often overlooked in many DevOps environments – which can result in drawn-out security compliance activities and late-stage discovery of vulnerabilities. Instead, your team could use a DevSecOps approach.

In a DevSecOps environment, security is moved out of a siloed audit process and integrated throughout the CI/CD (Continuous Integration/Continuous Deployment) Pipeline as a range of layered security practices. Security is traditionally an audit process that’s bolted onto the end. Discovery of deep, architectural-level security flaws could result in your team having to go back to the drawing board – creating months of duplicate work.

By ‘shifting left’ (moving security into the planning and development stage) and subjecting each release to a battery of automated security tests and defined checks that are built into the continuous integration pipeline, you can avoid duplicate work.

How does your security model change with DevSecOps?

DevSecOps is a mindset shift towards assuming that your infrastructure has already been breached. Traditional security strategies tended to focus on preventing breaches. While this remains an important concern, a DevSecOps strategy also assumes that you’ve been breached.

In an interview with Software Engineering Daily, Edward Thomson – the principal program manager for Azure DevOps at Microsoft – explained that phishing attacks remain a common vulnerability for DevOps teams.

As Edward Thomson says, ‘It’s scarily easy to get a password via phishing… You’ve got to assume that someone using your account isn’t you, but a bad actor’… ‘It [phishing]’s probably the no.1 [attack] vector that we’re seeing’.

How does assuming a breach change an organization’s security policies?

Containerization is at the core of a DevSecOps approach to security strategy.

If you assume that a bad actor could access any developer or ops account by using a phishing attack, then certain security policies will make logical sense:

  • Keep credentials safe.
  • Limit access to data and contain the level of access that any individual has.
  • Assume that breaches can and will happen.
  • Assume that passwords are not particularly meaningful.
  • Add multiple layers of authentication, including 2FA.
  • Information that’s more privileged needs more containment.

‘For our customer data, it’s crazy-difficult to actually gain access to any server that has customer data on it. An ops team might be able to turn a server on and off – but our data is encrypted at rest. So, even logging in, they wouldn’t be able to see any data’.

Which cloud hosting model is the best choice for a DevSecOps mobile app testing environment?

Your business can choose from a range of hosting models for its device farm and mobile app testing environment, depending on your testing needs and security demands.

Public Cloud

Using a public device cloud may have become a trend for millions of companies. The advantage is that it’s really easy to implement and maintain, but its level of security has become a major concern and roadblock for enterprises to approve the adoption.

Private Cloud

A private cloud service gives enterprise-grade security that every organization ever wants. It offers dedicated networks, hardware and infrastructure that are maintained and hosted by the mobile testing infrastructure vendor.

Private cloud solutions can achieve levels of security that are close to an on-premise solution. Costs for private cloud solutions are typically subscription-based and easily predictable (unlike on-premise hosting) – which can help with your business planning.

  • Virtual Private Cloud – Simply put, the private cloud setup runs on clients’ Virtual Private Cloud (VPC) instances like Amazon VPC, Google Cloud, Microsoft Azure and IBM Cloud while all the hardware and devices are still maintained by the mobile testing vendor like Bitbar.
  • This solution allows clients’ team to further define particular rules and policies for communicating with external resources, which will meet the needs from your IT Security team and add the benefits of using a scalable cloud-based mobile app testing infrastructure.

On-Premise

On-Premise hosting solutions can achieve literally the highest levels of security as the entire infrastructure is installed on the client’s premise. Though it requires a full-time, in-house team to manage and maintain the infrastructure, organizations from Banking or Pharmaceutical industry will favor such a deployment for mobile app development and testing with rigorous security requirements. Read more about our enterprise solutions.

How can your Chief Security Officer assist a transition to DevSecOps?

If your business is looking to integrate security into its DevOps environment, how can your CSO (Chief Security Officer) or VP for Security assist the transition?

Edward Thomson says, ‘The role of a CSO when you’re in a DevOps transformation is to identify the amount of many risks you’re comfortable with and make sure that you are finding ways to mitigate that risk quickly…. Or at least [finding ways] to mitigate security problems quickly. Because the faster you can mitigate security problems, the less risk you really have.’

Edward pitches two questions that your business should ask:

‘In the event that an attacker accesses a user account in your network by using a phishing attack…’

  • How quickly can you identify the attack?
  • Have you given that account the least amount of privilege as possible (EG allowing no access to production data)?

Being able to respond quickly and compartmentalize data will build confidence in your system.

A CSO should have good reasons to feel confident that as the DevOps team increases velocity and productivity and starts to ship and deploy faster, the business is still not taking on a huge amount of risk – and that any risk is relatively contained. And that’s where Bitbar Private Cloud (VPC) fits best.

Has your business integrated security into its DevOps environment?

Are there any other tools that you recommend plugging into a continuous integration pipeline?

How do you compartmentalize your team’s data?


Manifesto: Everything about Mobile DevOps

Learn how to properly adopt DevOps approach for your mobile team and get the most out of it.

Download