More and more organizations are abandoning the outdated waterfall development methodology for more practical and efficient Agile development practices. As this movement has occurred, development teams are moving faster than ever by employing Continuous Integration (CI) and Continuous Deployment (CD) practices that are serving to shorten development cycles and get new features into production faster.
This does, however, come with greater security risk in some respects. The speed at which new code is being released has the effect of not only pushing new features out quickly but also potentially creating new security vulnerabilities at the same time.
This is where DevSecOps comes into play. By implementing DevSecOps practices supported by sufficient log analysis, organizations can ensure a high standard of application security in a fast-paced development life cycle without slowing the speed of application delivery. Going beyond static analysis or a simple tool, DevSecOps, combined with consistent log management, is key to maintaining reliable and secure applications.
What is DevSecOps?
DevSecOps is the philosophy of integrating security practices within the DevOps process.
Traditionally, the software development process was all but complete before application security came into consideration. A system would be fully designed and the code written, then analyzed by a security team that would identify existing security issues within the application. These issues would then be resolved, allowing the application to clear the security controls for a production release.
This process no longer made sense with the introduction of DevOps and shortened development cycles. Modern cloud applications are no longer released as defined versions every set number of months, but are iteratively or "continuously" developed, sometime multiple times a month, week or even day. Just as the CI/CD pipeline allowed for ongoing iteration and development, continuous security needed to be built into the software development lifecycle. As a result, DevSecOps was born.
DevSecOps mandates that all members of the DevOps organization be involved in the implementation and security testing of the application. They are all responsible for application security at some level. To succeed in implementing the practices of DevSecOps, developers need to code with security in mind, and testing needs to include application security testing rather than just general issues with the application’s source code.
Tools for source code analysis and automated test scripts that check for security issues within the application can assist an organization in making application security a priority at all phases of the software development life cycle. This will lead to an application being inherently secure from the outset of the project, which will lead to fewer security issues popping up at the conclusion of the development cycle that could potentially delay a production release.
But implementing a DevSecOps tool is not the end-all and be-all of DevSecOps.
This transition also means that the development team culture must shift to build security practices into day-to-day thinking. It's not enough to wait for the security team to flag a vulnerability in the code. All developers have a role to play in coding with security best practices in mind.
How can log analysis help a DevSecOps organization?
Logging and log analysis are essential factors in achieving and maintaining application security. They are also essential for the success of a DevSecOps organization as a whole. One of the main concepts in agile development is the idea of continuously evaluating the application. Examples include continuously testing the application to catch errors at the earliest possible moment in the development cycle, or continuously integrating code into a common codebase to allow for the detection of code integration issues at the earliest point possible.
Logging can provide telemetry of the internal workings of an application itself, but can also contain historical data points on the development lifecycle, such as when code was updated, pushed into production, or modified. It's common as well to correlate application logs against vulnerability-finding logs and access logs.
While developing, the software engineers should be sure to write code that will log information regarding any relevant security events such as authorization failures (and even successes), input validation issues, etc. In doing so, the developers will help build the foundation for a secure application and easier auditing of any security vulnerability. As they integrate their code into a common codebase to be deployed to test environments that mimic the specifications of the production environment, log files will be written that will be useful to security professionals for any investigation or reporting of security issues within the application.
These log files can then identify any lapses in application security that may occur throughout the development process or even post-deployment to production. This is where log analysis software can show significant value. While it is not possible for humans to manually read each massive log file that is produced while the application is being tested or utilized in production, log analysis software can assist in highlighting the vulnerabilities for your security team to investigate further.
Log analysis and its value to DevSecOps best practices
One of the most important aspects of the DevSecOps model is to begin implementing security measures as early as possible in the development cycle. This is essentially a continuation of the “shift-left” approach that's common in modern development philosophy.
Implementing security thinking in development processes requires both developer buy-in and involvement. By educating your developers in secure development practices and training them to develop securely and log valuable security data for analysis wherever it is applicable, you will find your applications to be more secure when you get to the later phases of the development cycle.
This will then carry over into the post-deployment phase of the life cycle where valuable log data will allow your organization to continuously monitor the application for security vulnerabilities that may have made it into production. As time goes on and multiple releases of your organization’s application(s) occur, the DevSecOps team will become more efficient and more innately habitual about employing secure development practices to weed out any security flaw before it turns up in production. In this way, you will improve application security with each subsequent release.
Like anything in life, application security processes change and evolve over time. While long development cycles and fewer releases per year were once standard, this approach is no longer effective in today’s fast-paced development culture. This is particularly notable as it relates to modern cloud security. Isolated security teams detached from the application developers or system owners cannot effectively understand or triage security interests in today's complex environments.
As a result, DevSecOps is the future of application security. Through the use of automation, developer buy-in and effective log analysis an organization can build and maintain secure applications without slowing down software delivery.
Learn how Ascential used Sumo Logic to develop their DevSecOps journey.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.