What is Continuous Security?
Continuous Security is a process of making security as a part of CI/CD process. Most of the organizations especially high performing ones have already implemented CI/CD pipelines to make software release more agile, building software automatically using Continuous Integration tools, and then packaging them in docker images and then containers are run in production using Continuous Deployment tools such as Jenkins, Kubernetes.
Applying all DevOps values to software security makes sure that verification of safety becomes an active and integrated part of the existing development process in place. Continuous Security works alongside the continuous everything process and makes continuously securing our software and infrastructure.
DevOps Security focuses on the point of delivering secure software using continuous delivery architectures. Click to explore about our, DevSecOps and Continuous Security For an Enterprise
Why is Continuous Security important?
- In modern applications, there are a lot of microservices, many infrastructure layers with Docker and Kubernetes platform, frequent changes and releases need a continuous security process in place which can mitigate security issues.
- It helps in enabling End to End Security.
- Security breaches are one of the most significant threats faced by various organizations in the modern world. There have been numerous cases of data breaches, which makes the need for proper Continuous Security in place.
- Better security enhances a software product's use in the market and builds trust with consumers.
- We have seen tremendous benefits with continuous integration and continuous deployment pipelines approach. All those benefits along with proper Information Security at each step can be achieved using Continuous Security.
How Continuous Security Works?
Let's dive deep into How Continuous Security works and see how it reduces the attack surface. Continuous Security adds an extra layer over DevOps processes and pipeline to make sure all the underlying infrastructure and applications don't have vulnerabilities and risks associated with them. Cloud-native applications are capable of providing support for the high availability and resiliency of micro-services through service discovery and load-balancing traffic across various stateless application containers. Continuous security works by adding a new security layer across containers.
DevOps movement has introduced various processes such as continuous integration (CI) and continuous delivery (CD). These processes allow for fast delivery and proper testing of code during the development process. Continuous Security works by injecting various policies and penetration testing of software applications using agile approaches. DevSecOps philosophy ensures that security should be built right into the product itself. Traditional InfoSec tested for security at the end, but Continuous Security works by testing for security in parallel from beginning till the end of an application. Security scans are enabled along with continuous integration pipeline to detect and fix the issues automatically in a continuous manner. There are continuous feedback loops which makes continuous improvement in overall security.
A type of software testing that ensures that any application or system is free from threats, vulnerabilities, and risks. Taken From Article, Security Testing in DevOps
Dockerfiles are treated as a Blueprint for building Docker images. Dockerfiles are put in VC such as Git. Always Be explicit with versions; don't use the latest. Try to keep a minimum number of layers.
Containers are treated as immutable. There is a separation between code, config, and data.
Private registries are hosted for storing docker images privately — there proper image signing which validates what's inside the image and what version it is running.
Underlying Host Security
Kernel features such as CGROUPS and Namespaces are used to provide features such as resource isolation and process isolation. Containers running on a host assumes that the Underlying host has proper security in place. The container uses SELinux for mandatory access controls. Read-only mounts are enabled from host to running container.
Isolation of Network
It is enabled by network namespaces, which provide resource isolation. Multiple Environment is used for DEV, UAT, PROD. Kubernetes network policies are used for allowing traffic from the same namespace only, thus restricting the area of access.
A process that continuously searches the web applications and the IT infrastructure for possible vulnerability and security risks. Click to explore about, Continuous Security Testing
How to enable Continuous Security?
Continuous Security can be enabled in the following ways -
- Implement gradual changes into existing DevOps pipeline, keeping security in mind.
- Tools such as Vault should be used for certificate stores with M-TLS for encryption.
- Leverage various existing security tools & automation to enable DevSecOps in the organization.
- Put metrics and alerts on all security incidents, whether they are related to Infrastructure or applications.
- Find attack vectors, potential effects of the security holes & Fixing them in automated ways.
What are the benefits of Continuous Security?
- Reduce Risks
- Lower Costs
- Speed Delivery
- Speed Reaction
- Availability and resiliency
- Local Service discovery. Apps can be accessed from an inside cluster only, making them more secure.
DevOps assembly lines are targeted on automating and connecting activities performed by several groups part of software development phases Source- DevOps Assembly Line
Best Practices for Continuous Security in DevOps PipelineFollowing are the Best Methods which should be developed while Enabling Continuous Security in a DevOps pipeline- Security should not be an afterthought Instead, It should be implemented from the inception of an idea to running it in production. Best practices for Underlying Host Security which runs containers -
- Always run as a regular user.
- Define resource requests and limits.
- Logging should be enabled.
- Make an equilibrium between simplicity and security.
- UI guys might want want to make it as simple as possible, while InfoSec would want to make it highly secure.
- There should be an equilibrium between them to make customers happy.
- First, focus on People and Culture.
- Then, focus on Processes.
- Finally, Focus on Tools to implement all the processes & keep on improving them.
What are the best tools for Continuous Security?
- SysDig Secure
- Signal Sciences
- Logging - Kibana + Elasticsearch
- Monitoring - Prometheus in conjunction with Grafana
- OWASP Zed Attack Proxy (ZAP)