DevSecOps Automation

Getting to market faster requires top-down, customer-first prioritization

Written by Adam Kerns, Managing Principal, Cloud Engineering, Coalfire.

This blog is based on Coalfire’s Securerealities report, Smartest Path to DevSecOps Transformation.

Automation is on everyone's path to DevSecOps transformation

Conventional wisdom within most management structures thought that security was little more than an annual check-the-box requirement at best, and at worst, an expensive roadblock to productivity and organizational goals. But as outlined in our Securealities Report, Smartest Path to DevSecOps Transformation, Coalfire’s Cloud Advisory Board reasons that the streaming of software integrations and deployments into the cloud requires continuous, automated security assurance.

This layer of application security orchestration and correlation (ASOC) between development, compliance, and testing has become mission-critical to the inevitable shift-left evolution toward achieving true secure product development. Today’s hyper-scale cloud environments, dispersed operations, and security-vigilant customers demand that organizations fully operationalize DevSecOps tools that correlate, discover, and de-duplicate disparate testing results; validate and prioritize vulnerabilities, and manage remediation.

The decentralized, software-defined network and application environment is our new playing field for automated solutions and managed services.

“Managing risk in the move to the cloud is, frankly, more important right now than managing costs, and any organization that wants to move to the cloud to save money has the wrong idea.” – Matt Sharp, CISO, Logicworks, Coalfire Cloud Advisory Board

Automation Priorities

We’re seeing fast adoption of distributed, immutable, containerized, and serverless environments, which serves to accelerate the security shift-left into the development process.

From the report, key takeaways for security teams include:

• Align and work closely with customers to understand how automation best supports their needs.
• Prioritize automation from the top down to instill organizational willpower for securing the software development lifecycle (SDLC).
• Expand automation use cases.

Vital to a resilient DevSecOps program is the capability to provide both development and operations teams with timely feedback as code is developed so they can detect and remediate security issues as part of their daily routines. Implementing a holistic development approach leverages technology and automation to complement custom security practices – every enterprise is different, and it’s never “one size fits all” anymore. Consider the following shift-left security integration use cases in your cloud-native development:

The DevSecOps Lifecycle

• Plan
• Develop
• Build
• Test
• Release
• Deploy
• Operate
• Monitor

Goals of continuous planning and development:

• Embed security perspectives (from the start) into product design and configuration management processes.
• Identify risks and threats.
• Develop and maintain repositories for known technical assets, including application code, Infrastructure-as-Code (IaC), Amazon Machine Images (AMIs), reference architectures, etc.
• Automatically identify misconfigurations and vulnerabilities within development workstreams.
• Receive (near) real-time alerting when security and functional inspections fail.

Goals of CI/CD builds and testing:

• Create a software bill of materials (SBOM) for each source code branch.
• Manage and inventory dependencies.
• Harden AMIs/VMs (virtual machines) and containers to established security baselines.
• Collect governance artifacts and automate traceability.
• Identify and remediate misconfigurations and vulnerabilities within a lower run-time environment.
• Identify and remediate environment availability concerns.

Goals of continuous release and deployment:

• Reduce down times/interruptions for production systems availability.
• Perform security configuration checks for cloud-native services.
• Validate and ensure that secrets are adequately secured.
• Perform checks against serverless functions to reduce attack vectors and security weaknesses.

Goals of continuous operations and monitoring:

• Apply controls that segment inter-workload/container communications and access.
• Auto scale the environment based on customer demands and workload requirements.
• Implement effective patch and vulnerability management strategies.
• Identify and detect anomalous activities.
• Apply controls that support incident response activities.
• Collect governance artifacts and automate traceability.
• Continuously monitor system health and performance.

Go Where the Puck’s Going

Developers and security teams are automating cybersecurity. CISOs are implementing this automation transformation through cultural shifts between security, DevOps teams, and the C-suite. For years to come, these trends are enabling new ways to do business that will have far-reaching impacts from the boardroom to customer relationships.

Annual compliance checks, audit teams, and physical offensive testing may never go away, but in the cloud, regulatory frameworks, attack surfaces, and product development are converging in perpetual motion. Automation has become a competitive differentiator. Leave it alone, make it a low priority, or procrastinate, and you’ll be left behind.

Get started by aligning CISOs and CXOs, teach and share knowledge from the top, look at what’s ahead, and examine the full spectrum of decision points. By moving forward with top-down buy-in and focusing on the right priorities, we’ll make it to our automation destination.