DevSecOps: Practical Steps to Seamlessly Integrate Security into DevOps

Juan C. Perez

Last updated on: September 6, 2020

To properly and effectively protect DevOps pipelines, organizations can’t blindly apply conventional security processes they’ve used for traditional network perimeters. Since DevOps’ value is the speed and frequency with which code is created, updated and deployed, security must be re-thought so that it’s not a last step that slows down this process.

Hampering the agility of DevOps teams has terrible consequences. These teams produce the code that digitally transforms business tasks and makes them more innovative and efficient. Thus, it’s imperative for security to be built into — not bolted onto — the entire DevOps lifecycle, from planning, coding, testing, release and packaging, to deploying, operating and monitoring.

If security teams take existing processes and tools, and try to jam them into the DevOps pipeline, they’ll break the automation, agility and flexibility that DevOps brings. 

“This doesn’t work,” Qualys Vice President of Product Management Chris Carlson said during a recent webcast, in which he explained how security teams can seamlessly integrate security into DevOps using Qualys products.

Protect your DevOps pipeline with Qualys

Qualys’ suite of 18 cloud apps covers a broad swath of security and compliance tasks, including vulnerability management, web application scanning, configuration compliance and container security.

These apps, which can be integrated with DevOps tools via open APIs, are fed data from a variety of Qualys sensors. These sensors, which collect IT, security and compliance information from organizations’ IT assets on-premises and in cloud environments, include:

  • physical scanners for on-premises data centers and corporate infrastructure;
  • virtual scanners for private clouds and virtualized infrastructure;
  • pre-certified scanners for workloads and resources in public cloud platforms;
  • lightweight, versatile agents for assets that are hard or impossible to scan;
  • and an upcoming passive network traffic analyzer for device discovery, identification of malicious traffic, and extraction of malware files

All sensors can be integrated and orchestrated in DevOps pipelines via APIs.

Automating vulnerability management in DevOps environments

To automate vulnerability detection in DevOps environments, organizations can introduce security “security at the source” by baking Qualys security into OS gold images and AMIs (Amazon Machine Images).

Whether you have a public or a custom image, you would scan it either with a Qualys scanner via APIs or with a Qualys Cloud Agent, identify vulnerabilities and misconfigurations, prioritize remediation, and fix the problems. Once that process is completed, you will end up with a hardened base instance, on which you can seed a Qualys Cloud Agent before releasing it to production.

When the approved gold image is in production, Qualys helps you monitor and track its security posture via dynamic and interactive dashboards. In those, you can search and tag instances based on attributes, and use pre-built or custom widgets to monitor deployments.

In addition, the Qualys Cloud Connector for AWS continuously discovers instances and collects their metadata including AMIs using API integration. Connectors may be configured to connect to one or more AWS accounts with user-provided, read-only credentials. That way, they can automatically detect and synchronize changes to virtual machine instance inventories from all Amazon EC2 Regions and Amazon VPCs.

As with AWS, Qualys has similar native integrations with Microsoft Azure and Google Cloud Platform to do vulnerability management, policy compliance, malware detection, web app scanning and other critical tasks on your cloud instances.

For example, Qualys has integrated the Cloud Agent with Microsoft’s Azure Security Center console to secure Azure Virtual Machines in DevOps pipelines. Thus, Windows admins who may know little about security or about Qualys, can turn on vulnerability management from their ASC console with a few clicks. 

That way, the agents automatically and continuously collect vulnerability data on Azure VMs, send it to Qualys Cloud Platform for analysis, and ship it back to the ASC console.“This is a cloud-to-cloud integration where the Windows sysadmins don’t know they’re using Qualys, nor about the API. They see the findings directly in ASC, and that becomes very powerful,” Carlson said.

With these capabilities, Qualys customers are able to use the same tools for detecting and visualizing vulnerabilities across their entire IT environment. “You get a single UI, a single platform, from DevOps to production,” he said.

Qualys customers are already making this scenario a reality

A bank app is born in the cloud with integrated security

When a bank recently created a consumer mobile wallet, it built the entire project — from development to deployment — in the cloud, and integrated security into the DevOps process from day one. “IT, Dev and Ops partnered from the beginning, and leveraged each other’s technologies,” Carlson said.

From the DevOps side, the app was born in AWS: planning, testing, regression, staging, build, deployment, and production. Complete new builds of the app are produced and deployed into AWS every 60 days.

To keep up this speed, they’ve created automated regression and test-driven development so they can quickly and easily find any functional defects created or introduced between builds. Docker containers are used to abstract the app from the OS, which lets the bank iterate on the apps faster without being constrained by dependencies in the underlying OS.

“This is IT transformation right here, and with security built in from the beginning,” he said.

Meanwhile, the security team transparently integrated vulnerability and compliance assessment into the DevOps process from the first day. Code vulnerabilities are fixed in the same software-release cadence. The bank checks for vulnerabilities in both commercial and open source software used in the project.

That way, the bank can find and fix those vulnerabilities, and verify they’ve been properly fixed on the same release cadence. The automated regression for functional testing is also applied to more quickly find issues with patches and vulnerability remediation.

Because they’re using Docker containers, IT teams can apply security patches to OS vulnerabilities at a separate cadence from application vulnerabilities, without worrying that patches to one will break the other. Consequently, this app ships with much fewer severe vulnerabilities than average legacy apps.

And the mobile wallet app vulnerabilities that do make it through into production — as well as the newly disclosed vulnerabilities that impact production applications — are patched much more frequently and consistently than in legacy apps.

Investment firm automates web app security in DevOps environments

With software written at breakneck speed in DevOps pipelines, it’s hard to keep up with all the development activities, so all applications need automated testing, because manual testing is costly and slow, and doesn’t scale. That’s what a large financial investment firm and Qualys customer with about 400 web apps in production discovered.

After scanning their production web applications with Qualys Web Application Scanning (WAS), the company found it had a lot of easy-to-remediate web app vulnerabilities like cross-site scripting (XSS) and SQL injection, which were harder to fix if the application is already running in production.  

The security teams worked with application development leaders and agreed that these types of web app vulnerabilities were as much as an error in software coding as complex security issues.

To address the issue going forward, the company integrated Qualys WAS into its agile software development process by executing web app scans programmatically via the WAS API at the same time they perform automated functional testing.  

Scan outputs were retrieved via the API, and tickets were automatically created  to remediate XSS and SQL Injection vulnerabilities in the next development sprint, prior to production deployment.

This dramatically lowered the number of vulnerabilities present in production apps without the need to buy more point solutions, which would have increased the company’s security budget and vendor management tasks.

Qualys Container Security

Qualys continues to deepen its WAS app’s ability to integrate with DevOps environments. For example, it recently released a plug-in for the Jenkins CI/CD (continuous integration / continuous deployment) automation server.

In addition, Qualys has an app for securing Docker containers, which are all the rage among developers because they allow applications to be created and deployed more quickly and efficiently, and with more portability.

For security, containers represent a challenge, because they churn much faster than virtual machines, and are much more lightweight because they can be spun up without provisioning a guest operating system for each one.

Container Security, now in beta, has been designed to help InfoSec teams for continuous discovery, tracking and protection of containers in DevOps pipelines and deployments at any scale. Specifically, Qualys CS offers:

  • Discovery, inventory, and near-real time tracking of container events
  • Vulnerability analysis for image registries and containers
  • Event and change tracking, so you know who is making changes and have an audit trail
  • REST APIs integration

Qualys CS also features a native container sensor, which is distributed as a Docker image. Users can download and deploy these sensors directly on their container hosts, add them to the private registries for distribution, or integrate them with orchestration tools for automatic deployment across elastic cloud environments.

How can you get started with Qualys in your DevSecOps projects?

Carlson outlined a series of practical steps to establish a strong security program using DevSecOps that’s driven by concrete metrics and by financial benefits.

Next Week

  • Inventory current security tools, and determine which are DevOps friendly using criteria like: Can they be integrated via APIs with DevOps tools? Can they automate processes? Do they have self-service UIs that developers could use to do their own security assessments?
  • Identify development teams using DevOps, and see if they’re open to integrating security into their process.
  • Start with an internal, simple “safe” project, as opposed to aiming for a major one with sky-high stakes for the business.
  • DevOps isn’t limited to cloud computing projects, so look for opportunities to collaborate with teams building on-premises apps.

Next Quarter

  • Integrate Qualys into one development lifecycle, and collect metrics that show concrete improvements and benefits attained after security was meshed with the DevOps process.
  • Measure outcomes by documenting things like the decrease in the number of vulnerabilities and configuration issues in apps before they ship to production environments.
  • Host a project summit to present your project successes and evangelize DevSecOps to other groups.

Next 6 Months

  • Create a DevSecOps architecture for on-premises and cloud
  • Streamline your security toolset by replacing point solutions with Qualys Cloud Apps. This will allow you to  cut costs and ensure your organization is using the most effective products.
  • Implement self-service and API-based DevSecOps programs to extend and facilitate the use and integration of security tools within the DevOps pipeline.
  • Expand to more projects to make DevSecOps a foundational, widespread practice across your organization.
  • Present at conferences and user groups on DevSecOps and become a DevSecOps thought leader inside and outside your organization.

We invite you to listen to a recording of the webcast, which has a lot more details about this topic, and a Q&A session with the audience.

See all of the presentations in the Continuous Security and Compliance Webcast Series.

Share your Comments


Your email address will not be published. Required fields are marked *