With the digital transformation, much has been said about reducing costs and increasing the speed of software development. In this context, the software delivery pipeline is focused on delivering high-quality products and services to the market, in an increasingly faster and more efficient way, being one of the ways by using DevOps (Development and Operations) methodologies. Thus, the practices associated with DevOps have been transforming the Software Development Lifecycle (SDLC), bringing lessons from manufacturing to application development.
But what is DevOps and why is it important? What is the relationship between DevOps and Information Security? And how can a Privileged Access Management solution integrate with SDLC to improve security in application development?
DevOps is a word used to describe a set of practices that aim to connect the Development and Operations teams to work on a project in a collaborative way. The goal is that, by bringing these teams together in the software development lifecycle, organizations can reduce the time and effort involved in deploying new versions. Therefore, it is possible to achieve shorter cycles and obtain lower development costs, resulting in a greater capacity to respond to customer needs, increasing confidence in the applications built and fulfilling business goals more quickly.
The introduction of DevOps practices, with greater interaction between the Development and Operation teams, was considered a revolution in the way the teams work together in the development of software. Although DevOps solves a number of challenges in the SDLC process, it also introduces other problems. With the increase and cost of security incidents across the market, the need for including the security aspect in this concept was identified. In addition, the boost in the development process meant that application security was present not only in the initial development phase but throughout the software lifecycle. Thus, DevSecOps was born, which is the junction of Development, Operations, and Security.
DevSecOps then means integrating information security across the application cycle and levels. Furthermore, it means automating security work so as not to affect the workflow speed, selecting the right tools and building this new strand on the DevOps culture within an organization. Therefore, everyone involved in the SDLC is responsible for ensuring that the security aspect is present in the development cycle and is implemented at the same scale and speed as the actions related to operations and development.
The main benefit of DevSecOps is automation throughout the software delivery pipeline, which eliminates errors and reduces attacks and downtime. In this sense, for teams that want to integrate security into the DevOps framework, the process can be achieved by using the right DevSecOps tools and processes. When the inappropriate use of these tools and processes causes violations, most of the time, it comes down to the poor protection of privileged accounts. As a result, one of the tools and processes that can bring benefits to the SDLC is related to Privileged Access Management or PAM.
PAM is clearly a very important element for cybersecurity. This is so true that it was considered #1 in the top 10 Gartner security projects for two consecutive years, in addition to being one of the 20 Critical Security Controls from CIS. In this context, if organizations want to get the full benefits from DevOps without jeopardizing their IT infrastructure and data, they will be required to think more strategically about how they handle PAM.
The following are some of the best practices related to PAM, which can be integrated by the teams in the software development lifecycle:
I. Discover and inventory all privileged credentials, in addition to the associated devices
It is impossible to manage what is not known. Therefore, this step is essential for the entire PAM process. Since the DevOps toolchain can contain numerous scripts and automation across all layers, this can be a very difficult task. However, there needs to be clear visibility into exactly which tools are running the automation and what privileges are assigned to them. It is necessary to know, for example, what is actually being done, who is doing it and when. In addition, organizations need to understand where automation is stored and, consequently, where this incorporated credential information is being stored, so that its security can be assessed. Finally, they need to understand the entire process, and privileged credentials are being incorporated for editing, storing, operating, and creating scripts.
II. Manage shared secrets and hard-coded passwords
Hard-coded passwords are one of the biggest issues in credential management. Unfortunately, even when application security teams remove encrypted passwords from their applications, they usually leave them within the IT infrastructure. This goes for account sharing, which is a frequent mistake that organizations make to keep automation working properly. The problem is that this prevents any traceability of activities in the environment. Thus, there needs to be control in the combination that can track individual users and script or automation accounts that affect environments in order to track each process or activity with unique credentials. This is essential for both the compliance and the overall integrity of the DevOps team’s software factory.
III. Apply the principle of least privilege
Finally, the concepts related to PAM depend only on providing individual users or specific automation accounts with the exact amount of privileges they need to perform their activities. In an environment where credentials are provided to DevOps teams at all times, very privileged, the model adopted must be based on the least privilege. Thus, it is possible to provide enough privileges for the DevOps process to work, to ensure that, in the event that any process or account is compromised, the rest of the environment is not.