DevOps security is a practice that development 操作 (DevOps) organizations are tasked with exploring and implementing in the name of securing the 软件开发生命周期.
这通常表示保证整个的安全 持续集成/持续交付(CI/CD) 管道, 从将被集成的工具, 开发人员将负责以下流程, 以及这些过程的执行程度. 关于DevOps安全意识形态的挑战,Forrester说:
“安全领导者寻求降低与不安全的DevOps流程相关的风险, 一半的人很难做到这一点,因为安全和开发过程没有集成. 从开发者的角度来看, leadership’s prioritization of security over shipping dates and existing security protocols sometimes forces them to subvert access controls in order to meet their delivery deadlines. Inefficient processes and a lack of clear boundaries for accountability create friction between DevOps and 安全团队.”
However, the push to secure the development process has yielded solutions that prioritize ease-of-use, 效率, 自动扫描 infrastructure-as-code (IaC) 模板. 通过这种方式,开发人员可以确保快速交付的安全性.
Tooling such as command-line interfaces (CLIs) enable on-demand security scans of IaC plans and 模板 with results delivered directly in the CLI, thereby shortening the discovery and feedback loop for security and compliance issues to the point of immediate remediation.
DevSecOps is the process of integrating security processes earlier into the CI/CD 管道 through cooperation between engineers, 安全团队, 以及其他领导职位. 这个过程也被称为“向左移动”."
DevOps established a culture of collaboration and an agile relationship between development and 操作 teams, DevSecOps旨在以生产力和伙伴关系的名义继续这些主题. The concept enforces the idea that every employee and team is responsible for security, and that decisions need to be reached efficiently and put into action without sacrificing security.
更快地将新代码投入生产是推动新业务发展的一个目标. However, in today's world that goal needs to be balanced with the responsibility of addressing security. 自动化是将安全性转移到开发过程中的关键推动者. The goal is to bring the different phases of security into the DevOps model and automate the entire process, so security is integrated directly into the initial application builds and IaC template scanning processes.
The primary goals and benefits of DevSecOps are those that open the door for organizations to experience advancement in operational 效率 across various departments. 这包括:
应用程序及其 漏洞 暴露在互联网上是为了被客户使用吗. 因此, they are easily within an attacker’s reach – often masked as legitimate traffic – as compared to other critical infrastructure, 恶意攻击者.
There are tools available to attackers that allow them to penetrate and exploit with relative ease. Web应用程序安全测试 is critical, especially since most application 漏洞 are found in the source code. 动态应用安全测试(DAST) is a primary method for scanning web applications in their running state to help developers identify real, 可利用的风险. 以真正的DevSecOps的心态, it’s important to note that scanning earlier in the 软件开发生命周期 can give time back to developers and testers.
就像DevOps一样,伙伴关系和协作是DevSecOps的全部内容. It's critical that security and development teams get together to understand the risks other teams face. 将安全测试集成到SDLC中的有效方法包括:
将应用程序安全性更早地嵌入到SDLC中有许多好处. 如果您像对待其他软件缺陷一样对待安全漏洞, it's possible to save money and time when developers and testers identify them earlier.
不出意外的话, you should now be able to understand that integrating security principles into the DevOps process is entirely possible, 但也并非没有挑战,比如:
最终目标、优先级和截止日期的变化速度每天都在增加. 人们只是期望安全能够跟上. 面对这样的变化,这可能是一个挑战 云迁移 以及全面的数字化转型. Scanning and testing the security of development frequently is something that should have early buy-in across stakeholders. The greater challenge will come if someone discovers an issue after it goes to production and things have to slow to a crawl to accommodate remediation.
Overall 云安全 在增加DevSecOps过程时应该考虑什么. This can include everything from cloud service provider (CSP)-native security controls and how your organization leverages them, IaC工具的复杂性, 识别将被自动化的过程. 随着云中工作负载数量的增加, security challenges can sometimes fall between the gaps and outside of traditional processes, 从技术和操作的角度来看增加了额外的风险.
平台 Kubernetes 对运行应用程序的各种容器进行分组和管理. 容器不断地被旋转和替换, 因此Kubernetes将立即交换容器以确保没有停机时间. 不难想象,在这样的发展速度下,安全是多么具有挑战性. 在这一切之中, it can be hard to surface relevant insights and threat findings and control unforeseen 漏洞 that come from an instance inadvertently being overwritten.
Red tape within organizations can present challenges such as lack of buy-in from management, 预算不足(开源工具可以提供帮助), 孤立的努力. 另外, a shortage of skilled workers could reinforce the same old decision-making patterns at those management levels. 让团队以一种快速的方式来解决一个问题可以决定成败. 100%的跨职能工作很可能不是每个组织都能实现的. However, 接近这个目标有助于加强团队, 提升士气, 并反馈关键的学习,最终提高成功的速度.
尽管存在不小的挑战, establishing DevSecOps best practices can ensure that – once processes are more or less up and running – security does not act as an impediment to the speed of application development.
在开发者所在的地方与他们见面开发人员希望编写代码,而不是实现安全性. 因此,他们应该尽可能容易地做到这一点. Rapid7’s CLI 工具可以帮助促进这一过程.