Security Operations

One of the phases of the software development lifecycle is deployment and maintenance. Security needs to happen here. When security meets operations, we have the field of SecOps.

SecOps

Remember the creation of and rise of DevOps, the coming together of development and operations as one? This happened because it was considered wrong to separate development from operations.

We know security should not be separate, hence we need DevSecOps (sometimes abbreviated SecOps).

Another definition of SecOps: The collection of all people, practices, intelligence, and technology that goes into securing an enterprise’s assets. It handles threat modeling, risk assessment and management, bug (vulnerability) reports and issue tracking, responses and fixes, configuration, rollout, deployment, maintenance, evolution, and all that, with security in mind the whole time.

Best Practices

Note that the management of all those secrets and other sensitive information in your deployment configuration files can be a weak point in your security profile. Are you managing those secrets well?

It feels like this page of notes would note be complete without a listing of the most common (if not the most obvious) practices that any good security-conscious Ops team will have in place:

Keep all software up-to-date (apply those patches)
Keep anti-virus mechanisms up-to-date
Configure firewalls and all other access gateways to whitelist only what is absolutely necessary
Implement least-privilege everywhere
Enforce strong password policies
Enforce MFA
Back up regularly
Perform audits continuously
Pay attention to config files, or maybe better: consider containerized frameworks whose APIs ensure secret configs are properly managed (assigned to the right apps and the right environments within apps)
Train your employees how not to be victims

And where possible, automate, automate, automate. Remember to automate. Humans can make mistakes with this kind of stuff, why risk it? A manual deployer turned malicious insider is scary.

Read this short article for a good introduction to Secure DevOps.

Continuous Integration

Although DevSecOps is a big topic, it’s worth highlighting security concerns within your CI/CD pipeline. Here are a couple good articles which go over the issues involved:

Additional Resources

Summary

We’ve covered:

What exactly SecOps is concerned with
The many facets of continuous integration (CI) and why it matters
The usual best practices
Where to find more information