Is Your DevOps Secure?

Nathan Dyer

<p>DevOps has become a competitive advantage for many organizations. However, many of these processes are not secure and raise serious challenges for cybersecurity professionals. Here’s how Tenable can help.</p>

<p>DevOps gives business leaders a lot to be excited about. After all, this new approach to software development drastically improves time to market for new services, making it possible to outpace competitors. Organizations have realized other important benefits as well, such as reducing the time spent maintaining existing apps and improving the quality and performance of deployed apps.</p>

<p>It’s no surprise, then, that DevOps has <a href="https://go.forrester.com/blogs/2018-the-year-of-enterprise-devops/">finally reached mainstream status</a>, with one research report indicating that <a href="https://www.ca.com/us/modern-software-factory/content/how-agile-and-devo... of organizations</a> have implemented or plan to implement DevOps. DevOps is an important differentiator as <a href="https://hbr.org/2016/04/you-dont-have-to-be-a-software-company-to-think-... companies eventually become software companies</a>. </p>

<p>On the flip slide, DevOps gives security leaders a lot to be worried about. According to the latest <i><a href="https://puppet.com/resources/whitepaper/state-of-devops-report">State of DevOps Report from Puppet and DORA</a></i>, high IT performers with mature DevOps processes deploy code 46 times more frequently than low IT performers. In raw numbers, that’s more than 1,400 deployments per year for the high IT performers, compared to only 30 for the low performers. </p>

<p>Unfortunately, security teams are largely disconnected from this continuous software delivery process, relying instead on downstream gates designed for the era of waterfall development. <a href="https://sdtimes.com/agile/hpe-security-fortify-report-finds-application-... 20% of organizations</a> incorporate any security testing during development, with another 17% stating they are not using any technologies at all to protect their applications. </p>

<p>To make matters even more difficult, security teams are often <a href="https://dzone.com/articles/10-tips-for-integrating-security-into-devops"... by developers</a> in the organization by 100:1. How can security teams possibly keep up with DevOps velocity while being constrained by limited resources? </p>

<p>Hackers are already taking advantage of poor DevOps cyber hygiene with cryptomining malware attacks using <a href="https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-... Hub backdoors</a>, <a href="https://www.bleepingcomputer.com/news/security/tesla-internal-servers-in... open Kubernetes accounts</a>, and <a href="https://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/">unpatched Drupal web applications</a>. While attacks today are harnessing vast amounts of computational power to generate cryptocurrency revenue, it doesn’t take much imagination to envision future attacks targeting sensitive enterprise or customer data. </p>

<p>Security professionals need to rethink traditional vulnerability management and embrace new security methodologies to secure DevOps processes. We at Tenable believe a new security discipline, called <a href="https://www.tenable.com/cyber-exposure/critical-risk-metric">Cyber Exposure</a>, is required to cover the breadth of the modern attack surface (e.g., cloud services, mobile devices, IoT/OT assets) and provide a new depth of insight into vulnerability data for more accurate visibility and decision-making. Cyber Exposure will help security leaders incorporate new secure DevOps principles to better manage and measure cyber risk by providing:</p>

<ul><li><b>Continuous discovery and scanning</b>. Monthly or quarterly scans do not cut it in the DevOps world. Continuous software delivery means the environment is constantly changing, requiring continuous discovery and assessment of cyber risk. This should occur across the software development lifecycle—from development through operations—to provide full visibility. </li>
<li><b>Security integration into DevOps processes</b>. Security tests and controls need to be an integral part of the software development lifecycle and embedded into the development pipeline. Vulnerabilities, malware, and misconfigurations should be treated as any other type of software defect that diminishes code quality and should be remediated as early as possible in the development lifecycle.</li>
<li><b>Automation of security workflows</b>. To support the scale and speed of DevOps, security controls must be exposed programmatically with APIs into DevOps systems to take advantage of automation throughout the software development lifecycle. For example, instead of security teams manually assessing images during predefined security gates, security testing can be triggered automatically to assess all new builds as they are created.</li></ul></p>

<p>Tenable offers a variety of solutions to help you on your secure DevOps journey. <a href="https://www.tenable.com/solutions/cloud-security">Cloud connectors in Tenable.io</a> continuously track asset changes to ensure all cloud workloads are known and assessed for vulnerabilities. <a href="https://www.tenable.com/products/tenable-io/container-security">Tenable.io Container Security</a> plugs into continuous integration and continuous delivery (CI/CD) systems to remediate vulnerabilities and malware during development. <a href="https://www.tenable.com/blog/intro-to-the-tenable-io-api">Well-documented APIs in Tenable.io</a> allow you to automate security scans and integrate controls in your workflows. And earlier this month, <a href="https://www.tenable.com/press-releases/key-enhancements-to-tenable-cloud... announced</a> several new Tenable.io platform enhancements to support heterogeneous cloud platforms and enable security to be built into the entire software development lifecycle from build to production. </p>

<p>In fact, here’s how one Tenable customer is taking advantage of many of these secure DevOps capabilities today:</p>

<blockquote>“The Tenable.io AWS connector is the key to automating our DevSecOps pipeline. It allows us to gain real-time visibility into our cloud environment to track assets as they are spun up and down so that our other tools can be integrated into the pipeline in an automated fashion.” -- Mick Kohler, Senior Manager, Cyber Security, Enterprise Security, Sysco</blockquote></i>

<p>Want to learn more about securing DevOps? The following resources will help you on your journey:</p>
<ul>
<li>Watch our on-demand webinar, <a href="https://www.tenable.com/webinars/panel-discussion-securing-devops-advice... DevOps, Advice from the Frontlines</a>, featuring three industry experts who have crossed the security-DevOps divide.</li>
<li>Visit our <a href="https://www.tenable.com/solutions/application-security">Application Security & DevOps solutions page</a>.</li>
<li>Read our article, <i><a href="https://www.tenable.com/whitepapers/information-security-in-the-devops-a... Security in the DevOps Age: Aligning Conflicting Imperatives</a></i>.</li>
<li>Try <a href="https://www.tenable.com/try-io">Tenable.io for free</a> for 60 days.</li></ul>

Read more >

Published on Jun 27, 2018

People also viewed

Technical Support Engineer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is looking for motivated individuals to join our Technical Support Team. The Technical Support Engineer (TSE) is the first contact for all customers when they require technical assistance.  In a time when the next Spectre and Mel...

Sales Development Representative

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Lead Generation Sales
Your Role:The Sales Development Representative supports remote sales teams in and is responsible for generating new business via inbound and outbound phone opportunity qualification. Your Opportunity: Perform outbound calling to generate new sales...

Customer Success Manager - APAC Nessus

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography. You will be expected to penetrate and prospect na...

Commercial Sales Engineer - Mexico

Mexico City Mexico Mexico Presidenta Masarik, Polanco V Seccion, Mexico City, Mexico, 21045 Sales Engineering Sales
Your Role:Tenable is seeking a Commercial Sales Engineer to assist and drive Business and Technical aspects of strategic selling in your assigned region. You will be partnering with Territory Managers and a strong team of peers to: differentiate t...

Director of Engineering - Shared Services Infrastructure

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sensors Engineering
Your Role:Tenable is looking for a talented and energetic Director of Software Engineering to lead the Shared Services Infrastructure (SSI) development team. The SSI team helps organizations address key challenges of traditional vulnerability scan...

Principal UX Designer

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Cloud Platforms Engineering
Your Role:Tenable is looking for an extraordinary Principal UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.