As you’ve likely experienced throughout the evolution of your DevOps program, building a security-minded developer culture is as much about education as it is about tooling. As you consider the next phase of your secure DevOps program, you may be starting to imagine how your toolchain evolves, whether it’s auditing existing tools, extending your CI/CD pipeline, or solving for new problems with additional tools.
It may be that your off-the-shelf WAF served you well in the past, but now your team needs a web application security control that can be tailored to solve your business’s unique security problems. Or perhaps you already have some other security control that can meet your needs, but you are forced to spend more precious professional services fees — and then wait — for the vendor to make crucial tweaks and improvements. Maybe an additional layer of DDoS mitigation closer to your attacker could strengthen your overall defenses, but what you have in place cannot consume and leverage your threat intelligence.
No matter the reason, if you’re evaluating exclusively for security requirements, you may be missing one of the most essential opportunities to successfully grow your secure DevOps culture: a focus on the developer-centricity of your tools. And before you worry too much about giving up security for performance, we’ll show you how the tooling landscape has evolved to address both.
Here’s a practical look at the essential ingredients of a developer-centric security product.
Extensive APIs and flexible computing languages for robust control
The tighter security controls can be aligned to an app, the more effective they will be. Look for a solution that is fully configurable and API-driven so developers can create and adjust their own security controls for things like WAF (web application firewall), ACLs (access control lists), and TLS (Transport Layer Security). Ideally, those controls can be adjusted in near-real-time based on key insights from traffic, and developers can push out changes globally in seconds. Adding automation takes this idea one step further. For example, a developer could automatically block certain traffic based on an alert. When that alert is triggered again, a closed-loop resolution is already established, negating the need to continuously watch for that alert. This approach significantly reduces security “noise” and allows developers to focus on other key initiatives.
The right platform for performance
In application development, there’s a constant tug-of-war between performance and security. Security is something that was traditionally expected to slow app performance and potentially have a direct impact on revenue. But that doesn’t have to be the case. Security controls — for components such as TLS, WAF, PCI, DSS, and traffic — should be built into the platform layer, so you can scale them rapidly without introducing bottlenecks or impacting performance. Some providers may maintain separate networks for these components. If one or more of them are treated as add-ons or afterthoughts, they could slow your app down. However, if they are tightly integrated, application performance will be preserved. This allows developers to keep applications highly performant while delivering secure experiences.
Visibility you can act on
Visibility is critical in agile development environments to quickly identify and address issues at every stage. But when it comes to supporting production environments, security teams don’t always have the comprehensive line of sight required to recognize and defend against active threats. For example, if you can stream logs from the edge in near-real-time, you’ll gain valuable insights for rapid detection and mitigation. To enable your team to make data-driven decisions, log data has to be sent where it is needed and provided in whatever consumable formats your analytics engines, visualization tools, or security information and event management (SIEM) platforms require. One size may not fit all. Your provider should be able to deliver the information you need, in the way(s) you need it, wherever it is needed.
Streaming real-time logs of events and incidents can help provide closed-loop resolution, allowing teams to automatically spot incidents and remediate them quickly. If access to critical information is delayed, containment will be more difficult and the damages more severe. With real-time visibility, your organization is better equipped to tackle both known and unknown application security issues as they arise. Take caution with approaches that provide interpreted intelligence. While this information can be beneficial, it is not the whole picture: you can miss out on the forensic level of information needed to dig deeper into a problem and understand what actually happened. By controlling and clearly seeing what gets logged, teams can lead better investigations to identify and prevent future issues.
Easy integration into existing toolchains and compliance frameworks
If a new vulnerability is found, or you’d like to roll out a feature for a particular event — it’s important to get fixes and updates to users as quickly as possible. When your tools fit into your current DevOps toolchains, it won’t force developers to perform security testing outside of their preferred toolchain environment. These toolchains can include common CI/CD toolchains (Travis CI, Jenkins), config management tools (Chef, Puppet, Terraform), and code repo systems (GitHub). All security controls should be able to be applied in container-based development and deployment environments, such as VMWare and Docker. Controls must fit into the compliance and corporate governance and policy frameworks designed for your business’s industry. Additionally, a WAF can be leveraged for virtual patching and as a secondary set of controls and cloud-based security enforcement.
Developer-centric tools shift security to your application’s core.
Providing developers with security tools that were built with them in mind is an important step in the evolution of any secure DevOps team. These tools enable developers to secure their applications from the start, giving your entire team a stronger set of security checks and balances — and end users a more holistically trustworthy experience.