DevSecOps: A big hill to climb

The blog below is a guest blog post written by Logz.io, one of our ChefConf Online sponsors.

For those of you on the Sec (security) side of DevSecOps, DevOps is a cultural and philosophical change to facilitate business alignment and to deliver higher quality software faster. 

Where DevOps Started

It started off by changing the way we work, including: organizational structures and software architecture. Small teams work more efficiently on their own products’ entire development and operations processes due to continual data-driven feedback loops between Dev and Ops.

DevOps Movement Leaders

If you look at several of the pioneers driving these changes, they have got a lot in common. Patrick Debois in Ghent was working in the capacity of building and operating products, but came at it from a developer’s background. Kris Buytaert saw similar patterns in his open source-centric consulting practice. They teamed up to launch DevOpsDays in 2009. By 2019, there were 80 of these events worldwide. 

With this open and collaborative environment it’s natural to experiment and learn on your own, which led to accessible open source software, 

Around the same time, Gene Kim was co-founder and CTO at Tripwire, a security software company. In that role, he saw operational and development patterns shifting, engaging in and riding the wave. 

The Evolution of the Data Center

The buying centers are adapting as the data center shifts from on-premise centralized management to cloud infrastructure managed by decentralized DevOps teams. The data shows this migration is accelerating as more organizations look to close their data centers.

Gartner Image Source: www.gartner.com/smarterwithgartner/the-data-center-is-almost-dead

Cloud SIEM’s (security information and event management) rise has begun to displace traditional SIEMs as the standard for analyzing security events. These alternative systems are more convenient for consuming cloud-based data (i.e. audit and network traffic data) and allowing better data sharing with Managed Security Service Providers (MSSP) and external parties. These Cloud SIEMs ingest new cloud data sources, including audit and network traffic data. The next step will be adapting to appeal better to DevOps teams, who are not security experts.

The Evolution of Security 

The need to deliver software faster led to the evolution from continuous integration (CI) to continuous delivery (CD). As a result, there are  more systems entering delivery pipelines as demand for faster software turnaround pushed the evolution of CD. 

These tools often analyze source code and container images, protect runtimes, and manage policies more succinctly. 

In fact, Chef’s technologies can be used throughout the pipeline from packaging with Chef Habitat to Chef InSpec for scanning and ensuring compliance, and Chef Automate to drive deployments. Other security-related technologies might be in use, but less often within delivery and operations pipelines. 

Image Source: medium.com/swlh/how-to-integrate-security-on-the-devops-pipeline-e36dea836d7b

The reasons to integrate these signals into the DevOps workflow is to detect and mitigate both security posture and possible attack vectors during automated deployments. Systems like Logz.io can consume metrics and logs from the pipeline alongside the applications, systems, and other infrastructure. Logz.io cloud SIEM use the same log data, which correlates security risks, consolidates security threats, and detects problems.

Passing the Observability Test

The key challenge today is that the security tools seen in red in the diagram above are purchased by the security buyer, but this must change. As we build software, we have to address the potential security issues upfront. So, we designed the concept of a Cloud SIEM for this specific reason and trend. 

At Logz.io, we believe that observability is more than logs and metrics.  We understand the software itself via distributed tracing, which we predict will become a security posture in the future. 

The Logz.io tracing platform, powered by the Jaeger open source project, supports many standard ways of collecting data. We believe contributing and building security detection into tracing is necessary for current community projects and commercial offerings. 

If our predictions are correct, then this will be an alternative way to handle runtime application security protection (RASP). 

Stay tuned on the developments of this project at Logz.io

Logz.io is a cloud observability platform that enables engineers to use open-source tools without the complexity of operating, managing, and scaling them. Logz.io offers three products as part of our Cloud Observability Platform: Log Management built on ELK, Infrastructure Monitoring based on Grafana, and an ELK-based Cloud Security Information and Event Management (SIEM).

Tags:

Jonah Kowall

CTO at Logz.io