DevOps security: Stress test for culture and technology

With DevOps, software development (Dev) and operations (Ops) grow together. Tools for process automation, continuous integration and teamwork between Dev and Ops units promote the efficiency of the entire development process. Agile development not only has advantages such as high software quality, innovative ability and rapid deployment, but also a flipside: Isolated security models become less effective because security checks and optimizations must now encompass the entire DevOps lifecycle and interlock.

DevSecOps has established a model that considers security aspects and procedures as an integral part of the development process from the very beginning, instead of treating them as a separate phase or post-processing, as was previously the case.

The goal is to identify and resolve security gaps at an early stage despite the heterogeneous collaboration between devs and ops and to be able to take preventative measures. This not only creates a culture of shared responsibility, security measures and tools now also cover the entire DevOps lifecycle.

This begins with the design and definition of security requirements and objectives as well as the selection of suitable architectures and technologies. Proven practices, tools and resources have also established in the Microsoft cosmos. First and foremost, this includes the Microsoft Security Development Lifecycle (SDL). SDL integrates security strategies and procedures into all phases of the development process, from planning, design and implementation to testing and maintenance. To reduce vulnerability to attacks during the development phase, tools such as the Microsoft Security Code Analysis Tools have proved their reliability. They make it possible to automatically and continuously check the developed code for vulnerabilities and fix them before the application enters the production environment.

Once the deployment has been defined in the specifications, a continuous integration and deployment pipeline (CI/CD) is advisable. It includes security tests and checks for each step: services such as Microsoft Azure DevOps Services can be used to create and manage the pipeline, for example, while components such as Microsoft Azure Security Center protect and monitor the applications and infrastructure in the cloud.

However, new security strategies are also necessary when it comes to the implementation of container technologies and microservices. The following tools are generally used to identify and eliminate vulnerabilities in container images and microservices:

• Microsoft Azure Container Registry uses trusted sources for container images and includes regular updates to close known vulnerabilities.
• Microsoft Azure Defender for Container Registries scans container images for vulnerabilities before they enter the CI/CD pipeline.
• Microsoft Azure Kubernetes Service (AKS) is used to implement security policies and rules for container orchestration and execution.
• Microsoft Azure Monitor and Azure Sentinel are suitable for monitoring the status and behavior of containers and microservices and responding to anomalies.

Finally, to manage and protect the access and use of sensitive information in DevOps pipelines, secure storage locations such as Microsoft Azure Key Vault have become popular. Merging Azure Key Vault with DevOps tools, such as Azure DevOps Services, enables DevOps teams to automate authenticated access to sensitive content during the build and deployment process.

Microsoft has also prepared a package to protect the DevOps infrastructure against potential threats such as DDoS attacks and other cyber attacks. These solutions include Microsoft Azure DDoS Protection. It enables adaptive and intelligent detection and defense against attacks that target normal application traffic patterns. In addition, Microsoft Azure Firewall offers the option of filtering and monitoring the incoming and outgoing data traffic of Azure resources. The filtering and logging of traffic follows various criteria, such as applications, protocols, ports, sources and destinations, ensuring centralized network security control for the DevOps infrastructure. Another significant step towards protecting modern DevOps environments is Microsoft Azure Sentinel. The cloud-based security information and event management (SIEM) platform collects security data from various sources, analyses them using artificial intelligence (AI) and machine learning (ML) and visualizes them for comprehensive security monitoring and analysis.

To ensure the security of APIs and other interfaces, development teams often use Microsoft Azure API Management, Azure Application Gateway and Microsoft Entra ID. These services cover a wide range of functions, including centralized management, protection against web threats and identity management. Furthermore, Microsoft Azure DevOps Services can be used to perform various tests such as static code analysis, dynamic application security tests and penetration tests.

Finally, Azure Security Center enables the monitoring and remediation of security risks and vulnerabilities in DevOps resources. To address security risks related to open source components and frameworks, it is recommended to use Microsoft Azure Defender for App Service to regularly scan for known vulnerabilities and Azure Application Insights to monitor and improve application performance and reliability. Finally, it is advisable to integrate solutions such as Microsoft Azure Sentinel, Azure Backup and Azure Site Recovery for incident response and disaster recovery into the DevOps environment.

What is certain is that DevSecOps is essential if agile development methods are actually to be used for business-critical purposes. This is especially relevant because security threats are constantly on the rise in an increasingly digitalized world. Traditional approaches, in which security is only considered at the end or in parts of the development process, are no longer sufficient. By integrating “security from the start” into the DevOps lifecycle, security vulnerabilities are identified and remedied at an early stage. DevSecOps also promotes a proactive security culture in which developers, operations teams and security teams work together to ensure that applications and systems are robust against security threats.