3. 3
FOREWORD
Build Security Into Your DevOps Practices
Use cases across the different types of companies that operate workloads in the
cloud vary, but there undoubtedly is one commonality: velocity. Cost, flexibility,
and scale are cited as reasons why organizations decide to use the public cloud.
However, the ability to move at the speed of today’s technology innovation comes
out on top more often than not, time after time.
Many organizations can get so focused on pushing product that security takes a
backseat. The result is inadvertent vulnerabilities in the underlying infrastructure
that get missed. When that happens, and it happens a lot, companies, products,
and users are exposed.
Speed tends to be the focus for DevOps, but to truly implement and manage
DevOps effectively within an organization, it has to have a more comprehensive
approach from day one. A framework needs to be created that certainly
emphasizes speed and pushing product fast, but it has to also include a cultural
and technical approach that combines DevOps and security. An effective cross-
pollination of these will result in the kind of approach you’ll hear about in this
book. The people who are finding smart ways to build security into DevOps are
helping to ensure rapid business agility with the right approach to security.
Lacework is a SaaS platform that
automates threat defense, intrusion
detection, and compliance for cloud
workloads & containers. Lacework
monitors all your critical assets in
the cloud and automatically detects
threats and anomalous activity so
you can take action before your
company is at risk. The result?
Deeper security visibility and greater
threat defense for your critical cloud
workloads, containers, and IaaS
accounts. Based in Mountain View,
California, Lacework is a privately
held company funded by Sutter Hill
Ventures, Liberty Global Ventures,
Spike Ventures, the Webb Investment
Network (WIN), and AME Cloud
Ventures. Find out more at www.
lacework.com.
Regards,
Dan Hubbard
Chief Product Officer
5. 5
TABLE OF CONTENTS
Kathrine Riley,
Director of Information Security
& Compliance
Braintrace..........................................................
11
Mauro Loda,
Senior Security Architect
McKesson..........................................................
14
Paul Dackiewicz,
Lead Security Consulting Engineer
Advanced Network
Management (ANM).....................................
10
James P. Courtney,
Certified Chief Information
Security Officer
Courtney Consultants, LLC.........................
06
Darrell Shack
Cloud Engineer
Cox Automotive Inc.......................................
13
Milinda Rambel Stone,
Vice President & CISO
Provation Medical..........................................
08
Ross Young,
Director
Capital One........................................................
15
6. 6
“DEVELOPERS NEED TO UNDER-
STAND SECURITY FROM THEIR
OWN POINT OF VIEW, SO THEY
CAN INTEGRATE SECURITY INTO
THE COMPLETE SOFTWARE-
DEVELOPMENT LIFE CYCLE.”
Making security an essential part of your IT operations requires a
disciplined approach to the development process, and that begins with
teaching developers security awareness. Developers need to understand
security from their own point of view, so they can see and integrate
security into the complete software-development life cycle.
They need to bring security awareness to the table when they are
gathering project requirements, when they are planning their design,
when they are building code and doing verification testing, and when
they are deploying. This includes understanding the security scanning
and checks that that are integrated into the pipeline as part of the
development process, and making sure those things are done. The
ultimate goal is to be in front of the security challenge rather than always
having to play catch-up and repair vulnerabilities after deployment.
James P. Courtney, Certified Chief
Information Security Officer, Courtney
Consultants, LLC
James Courtney is a recognized cybersecurity
professional who has spoken at multiple
conferences, including the CyberMaryland
Conference. He is a Certified Chief Information
Security Officer (one of 1,172 in the world), serving as
the IT network and operations security manager for a
private SIP consulting firm in McLean, Virginia.
7. 7
Tools built into the pipeline play an important part in enforcing security checks. How you use them
becomes part of your change control management process and how you force checks and security
sign-offs. Other security tools that monitor activity in the environment also help determine what is most
critical.
But education and culture within the organization are important too. For instance, if you determine you
need to make an investment equal to 10% of your entire security budget to address a serious vulnerability
in your operation, senior management needs to understand why, and they need to have a clear idea of the
negative impact of not addressing that vulnerability. n
8. 8
“YOU CAN FILTER DATA FROM YOUR
SECURITY STACK AND BUILD IT
OUT INTO A HEAT MAP THAT HELPS
TRANSLATE WHERE YOU ARE INTO
BUSINESS LANGUAGE.”
There can be a lot of business and operational reasons for getting code
out as fast as possible, and developers are subject to those pressures.
But by nature, engineers want to do the right thing. The best way to
build secure code is to give developers the tools and incentives to do
the job, and make security fun. You need to build security in from an
application-security perspective, run code scans from an application-
security perspective on a regular basis, and have your teams compete.
Gamification is a great way to make security part of the job and to
make it one of the things that drive the whole process rather than being
an afterthought. Getting security right first costs much less than fixing
it after the fact.
Milinda Rambel Stone, Vice
President & CISO, Provation Medical
Milinda Rambel Stone is an executive
security leader with extensive experience
in building and leading security programs,
specializing in information-security
governance, incident investigation
and response, cloud security, security
awareness, and risk-management
compliance. As a former software engineer,
Stone has passion and experience in
building cloud security and DevSecOps
environments. She currently practices this
at Provation, where she is the vice president
and chief information security officer (CISO).
9. 9
As part of this, having a DevSecOps mindset is extremely important. If you think about the cloud
environment and all the kinds of activities that are happening across all of the different teams, if you don’t
work together and collaborate on security, something’s going to get missed. The siloed approach doesn’t
work, and it’s more fun to work collaboratively.
Another important part of building security into your cloud operations is maintaining an overarching
enterprise security scorecard. You can actually filter data from your security stack and build it out into a
heat map that helps translate where you are into business language. The goal is to show the organization
where there is security risk, brand risk, product risk, financial risk, and where there are risk trends. Then
you can begin having a business conversation about how you address these risks, which are all based on
highly technical factors. n
10. 10
“WHEN IT COMES TO DEPLOYING
APPLICATIONS IN THE CLOUD,
AS YOU MOVE TOWARDS
CONVENIENCE, YOU LOSE
SECURITY.”
When it comes to deploying applications in the cloud, as you move
towards convenience, you lose security. It’s a balancing act. That said,
there are tools and processes that can enforce more secure practices.
For example, a continuous integration, continuous delivery (CI/CD) model
leverages known good components as you update your applications.
Being more secure in the cloud involves using these kinds of processes
to become more disciplined about change management.
There are a number of code assessment tools available that can be an
integral part of the development process. These tools scan code for
vulnerabilities during development and provide vulnerability notifications
so that those things can be addressed before code goes to production.
The entire DevOps process is become a code-based paradigm.
It’s also a good practice to have pen testers periodically look at your
applications and code from a hacker’s perspective. Use the vulnerabilities
they discover as an opportunity to raise awareness among the
developers. n
Paul Dackiewicz, Lead Security
Consulting Engineer, Advanced Network
Management (ANM)
Paul Dackiewicz has over 10 years of systems
engineering and cybersecurity experience in
the fields of healthcare, government, and value-
added resellers (VARs). He is currently leading
the security operations center (SOC) for a premier
managed security services provider (MSSP).
11. 11
“COMPLEMENTPLATFORMFEATURES
ANDCAPABILITIESWITHTOOLS
THATYOUCANINTEGRATEINTO
THEENVIRONMENT.”
Here are several things you can do to embed security practices into your
cloud operations:
n Take the time to architect out your solutions and ask tough
questions about how to make them conform to your security
framework and what risks you must address. It’s not easy to sit
down with everybody in the room, but it is a necessary step.
n Build a DevOps process that uses tools to scan code as you develop
it. This should be an automated process that has to happen before
code can be promoted.
n Use the cloud provider’s platform to your advantage. Cloud
platforms have a lot of security features and process-control
functions that can make your cloud infrastructure more secure,
if you use them. For instance, Amazon is constantly patching
and updating operating system images. Their tools can tell
you if operating system patches are relevant to the container
configurations you are currently using. This streamlines your own
configuration management and redeployment of fresh images.
Katherine Riley, Director of
Information Security & Compliance,
Braintrace
Katherine (Kate) Riley is skilled in leading
teams to define cloud architecture, and
in development of controls. She has
developed and implemented security
frameworks such as ISO and NIST, and
performed compliance reviews such as
FFIEC, HIPAA, HITRUST, SOX, GDPR, and
GLBA.
12. 12
n Complement platform features and capabilities with tools that you can integrate into the
environment. You might want to install your own monitoring or behavior-analytics tool, and
integrate that with your dashboard or ticketing system. Then you can tune the tool so that you are
focusing on what is most critical to the business. n
13. 13
“MAKING SECURITY AN INTEGRAL
PARTOFYOURCLOUDOPERATIONS
REQUIRES TIGHTLY MANAGED
PROCESSES.”
Making security an integral part of your cloud operations requires tightly
managed processes. This begins with working closely with your security
teams as you design your cloud infrastructure, build out your networks,
and allocate available resources. This must all be done in compliance with
security standards laid out by your security team.
It requires managing the development process so that developers follow
rules and practices that enforce security. This includes the tools you use,
and an agile development process that might involve daily meetings in
which developers can discuss how to build something in accordance with
security guidelines. It can involve ticketing systems and collaboration
tools that facilitate developers getting answers to business-risk questions
that relate to the things they are being asked to build. And it requires
maintaining discipline about the development process itself, such as using
isolated network environments with strict naming conventions to separate
development, staging, and production environments for your applications.
The process for architecting and building cloud infrastructure needs to be
well controlled from end to end. n
Darrell Shack , Cloud Engineer,
Cox Automotive Inc.
Darrell Shack is a seasoned system
engineer focused on building resilient
and high--availability solutions. He has
experience in developing solutions in the
public cloud Amazon Web Services, helping
teams manage their cost, and overall
application performance in the cloud.
14. 14
“WITHSOMUCHINTHEBUSINESS
SUBJECTTOSECURITYRISK,EVERY
PERSONHASASPECIFICROLETO
PLAY.”
With so many business operations happening in complex IT
infrastructures, security is no longer the responsibility of only the security
team or the compliance team. It must be baked in at the executive level
and become a part of the business process. Most enterprise operations
are driven by people, processes, and technology, and people are often
stretched thin. With so much in the business subject to security risk,
every person has a specific role to play.
Everything needs to be risk driven. This means treating security and
compliance risk as part of business risk. It also means talking about
security in terms of business cases, which becomes the common
language across the enterprise from the C-suite to business operations.
Security frameworks and tools play an important role not only in securely
managing IT infrastructures, but also in measuring and scoring risk in
ways that make sense for business cases. In this way cybersecurity can
become a key consideration in important business decisions. n
Mauro Loda, Senior Security
Architect, McKesson
Mauro Loda is a passionate, data-
driven cybersecurity professional who
helped define and drive the “Cloud First”
strategy and culture within a Fortune 100
multinational enterprise. He is a strong
believer in offensive security and simple-
but-effective architecture-defense topology.
Emotional intelligence, pragmatism and
reliability are his guiding principles. He has
achieved numerous industry certifications
and actively participates in forums,
technology councils, and committees.
15. 15
“BUILDING A SECURE, SCALABLE
DEVELOPMENT PROCESS DEPENDS
ON AUTOMATION TOOLS, BECAUSE
ONE SECURITY ENGINEER CANNOT
MANUALLY ASSESS ALL THE
APPLICATIONS AND SERVICE
INSTANCES…”
The ultimate goal needs to be to build security into the development
process and into the code itself.
One way to move in this direction is to change the structure of
development teams so that their work has more immediate feedback
from customers and business leaders. For example, a typical large
project might have 10 developers, a project manager, and a scrum
master assigned to it. However, a different approach would be to build
a team that consists of three or four developers doing the team coding,
working in pairs to check for errors. There would be a systems engineer
looking at customer requirements and breaking those down to actionable
increments on a scrum board. There would also be a person responsible
for the human-centric design, building wireframes before the coding
Ross Young, Director,
Capital One
Ross Young is a veteran
technologist, innovation expert,
and transformational leader, having
learned DevSecOps, IT infrastructure,
and cybersecurity from a young
age from both ninjas and pirates.
Young currently teaches master-level
classes in cybersecurity at Johns
Hopkins University and is a director of
information security at Capital One.
16. 16
begins, and using those to get customer validation early in the development process. And of course the
team would have its own security engineer overseeing security of the code, and a project manager over
the group.
This kind of a team, supported with the right tooling, would be a highly agile group designed to receive
almost instantaneous feedback at every stage in the development cycle.
Part of this process needs to include building in risk sign-off at the business leader or executive level.
This would involve evaluating the product for vulnerabilities and risk, taking the finished product along
with the risk evaluation to an appropriate executive who can accept or reject the risk. That makes the final
decision about operational risk a business decision, not a security-team decision.
Building a secure, scalable development process depends on automation tools, because one security
engineer cannot manually assess all the applications and service instances a team like this could build.
And in a cloud environment, you could easily have many teams like this continuously creating new code.
Eventually the goal will be to build security control into the code itself. Security management becomes a
function built into the instantaneous-feedback loop developers use to advance their code incrementally.
When security policy is built as code, then developers can just test against it. n
17. 17
KEY POINTS
Having a DevSecOps mindset is extremely important. Thinking about the cloud environment and all the kinds of activities that
are happening across all of the different teams, if you don’t work together and collaborate on security, something’s going to
get missed.
When it comes to deploying applications in the cloud, as you move toward convenience, you lose security. It’s a balancing act.
That said, there are tools and processes that can enforce more secure practices.
A security heat map can show business leaders where there is security risk, brand risk, product risk, financial risk, and reveal
risk trends. With that, you can have business conversations to address these risks, which are all based on highly technical
factors.