Shulou(Shulou.com)06/02 Report--

DevOps is not just a development and operations team. If you want to take full advantage of the agility and responsiveness of the DevOps approach, you must take IT security into account throughout the lifecycle of the application.

Why? In the past, security was implemented by a specific team in the final stages of development. There is no problem with this approach when the development cycle is months or even years long; however, it no longer works. An effective DevOps can smoothly advance a fast and frequent development cycle (sometimes only a few weeks or days), but outdated security measures can have a negative impact, even for the most efficient DevOps programs.

Security is now a shared responsibility in the DevOps collaboration framework, and the corresponding security functions need to be integrated throughout the cycle. This is a very important idea. It also led to the emergence of the word "DevSecOps" to emphasize the need to lay a solid security foundation for the DevOps program.

DevSecOps means to consider the security of applications and infrastructure from the beginning, while automating some security gateways to prevent DevOps workflows from slowing down. Choosing the right tool to continuously ensure security can help achieve your security goals. However, effective DevOps security requires more than just new tools. It builds on the cultural changes in DevOps to integrate the work of the security team as soon as possible.

DevOps security is a built-in feature

Whether you call it "DevOps" or "DevSecOps", it's best to ensure security throughout the lifecycle of the application. DevSecOps is about built-in security, not security at the application and data level. If you leave security issues to the last part of the development process, organizations that adopt DevOps solutions will find that their development cycles are getting longer again, something they wanted to avoid in the first place.

To some extent, DevSecOps stressed that the security team should be invited to ensure the security of the information and develop an automatic security protection plan when the DevOps project is launched. It also emphasizes the need to help developers ensure security at the code level; in the process, security teams need to share visibility information, provide feedback, and conduct intelligent analysis of known threats. This may also include providing new security training for developers, as DevSecOps does not always focus on more traditional application development models.

So, what is the real implementation of built-in security? For novices, a high-quality DevSecOps strategy should be able to determine risk tolerance and conduct risk / return analysis. How many security control functions are required in a given application? How important is the speed to market for different applications? Automating repetitive tasks is key to DevSecOps because running manual security checks in pipes can be time-consuming.

DevOps security can be implemented automatically

Companies should: ensure that short and frequent development cycles are adopted; take security measures to minimize operational downtime; adopt innovative technologies such as containers and micro services; and, at the same time, encourage common isolated teams to work together-a daunting task for all enterprises. All of the above initiatives are related to people and require collaboration within the enterprise; however, automation is the key to helping to achieve these people changes in the DevSecOps framework.

So, in what ways should enterprises automate? What exactly should be done? Red Hat provides written guidelines to help answer the above questions. Companies should take a step back and focus on the overall development and operational environment. It involves: source control repository; container registry; continuous integration and continuous deployment (CI/CD) pipeline; application programming interface (API) management, orchestration and release automation; and operations management and monitoring.

New automation technology has helped enterprises improve the agility of development practices and played an important role in promoting the adoption of new security measures. However, automation is not the only change that has taken place in IT in recent years. Today, cloud native technologies such as containers and microservices are also a very important part of most DevOps programs. Therefore, enterprises must adjust DevOps security measures to adapt to these technologies.

DevOps security is suitable for containers and microservices

The scale scale and dynamic infrastructure improvements that can be achieved through containers have changed the way many organizations do business. Therefore, DevOps security practices must adapt to the new environment and follow container-specific security guidelines. Cloud native technology is not suitable for implementing static security policies and checklists. Instead, organizations must ensure continuous security and integrate appropriate security capabilities at every stage of the application and infrastructure lifecycle.

DevSecOps means ensuring security throughout the application development process. Achieving this integration with pipelines requires a whole new way of thinking, just like using a new tool. With this in mind, the DevOps team should automate security protection to protect the overall environment and data, while implementing a continuous integration / continuous delivery process-and possibly ensuring the security of micro services in the container.

Environment and data security: CI/CD process security: standardize and automate the environment.

Each service should have minimum permissions to minimize unauthorized connections and access. Integrate a security scanner for containers.

You should do this in the process of adding containers to the registry. Realize the centralization of user identity and access control functions.

Because authentication is initiated at multiple points, strict access control and centralized authentication mechanisms are essential to ensure the security of microservices. Automatically complete the security test during the CI process.

This includes running the security static analysis tool during the build process, and when any pre-built container image is extracted from the build pipeline, it is scanned for known security vulnerabilities. Make containers running microservices isolated from each other and from the network.

This includes data in transit and at rest, because obtaining both types of data is a high-value target for attackers. Add automated testing for security functions to the acceptance testing process.

Automatically perform input verification tests and automate authentication and authorization functions for authentication operations. Encrypt data between applications and services.

Container orchestration platforms with integrated security capabilities help minimize the possibility of unauthorized access. Automatically perform security updates

Such as patching known vulnerabilities. Do this through DevOps. In this way, the administrator does not have to log in to the production system when creating a documented traceable change log. Introduce a secure API gateway.

Secure API increases the visibility of authorization and routing. By reducing the number of public API, organizations can reduce the attack surface. Realize the automation of system and service configuration management function.

This ensures compliance with security policies and avoids human error. Audit and remedial actions should also be automated.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.