There has been an alarming increase in the number of high-profile cyber attacks in the past few years. And when we look at who to point our fingers at, cloud service providers end up being the perfect scapegoat. But if you pay attention to common vulnerabilities, you can see that most of them shine a light on client application issues rather than the cloud provider itself.
Microservices today focus on APIs and API exposure which provides a larger surface of exposure for cybercriminals. Add to this the pace at which code changes occur these days and you have on your hands, applications that are constantly developing and getting more complex. This means new attack surfaces are arising and the only way to combat them is to have new approaches to security.
In this article, we will try to understand why security and DevOps can’t function as separate entities and how GitLab is prioritizing DevSecOps with its recently launched features.
The gap between DevOps and security
Traditional security tools were built for a waterfall process to be integrated at the end of the software development life cycle (SDLC), thus creating silo and friction. Additionally, this approach allows you to discover vulnerabilities only at the end of the SDLC which leads to an accumulation of vulnerabilities.
You end up with DevOps plus security. This means that there is a gap between development and security testing and no matter how seamlessly the security tools are integrated in the end, the existence of the gap becomes undeniable. Security needs to be an integrated part of the development DNA and the gap needs to be eliminated.
A brief look at DevSecOps
Developers want to efficiently build great products at great speed and security teams want to deal with and manage vulnerabilities effectively. This creates a divide in their motives and further creates friction between the two teams.
DevSecOps is an approach that bakes in security as a shared responsibility throughout the SDLC in an automated manner. When security is integrated into each phase of the CI/CD pipeline, code is reviewed, scanned, and tested for security vulnerabilities constantly. So each vulnerability is addressed as and when it is identified.
DevSecOps brings security testing as close to the developer as possible. This allows them to deliver secure code rapidly and at a low cost. DevSecOps is a collaborative framework wherein every employee and every team – development, security, and operations – is responsible for security, thus enabling them to make efficient decisions.
GitLabs and DevSecOps
Git plays a significant role in the software world today. Apart from a multitude of uses, it essentially simplifies the DevOps process and makes it frictionless. GitLab has launched a bunch of features centered around DevSecOps and securing the SDLC.
GitLab Dedicated is an organization’s dedicated DevSecOps platform that focuses on private networking, data residency, and more. In a world with growing fragmentation of global internet policies, GitLab Dedicated allows users to use the cloud while working in an isolated instance. It offers region-based and privately connected single-tenant SaaS.
GitLab Dedicated provides users with a private connection between its platform and the customers. It meets the customers where they are by catering to everyone from large organizations to small startups to government agencies. GitLab Dedicated helps eliminate infrastructure overheads and costs while ensuring security and compliance.
GitLab Ultimate seems to be a one-stop shop for all things security. Its security scanning capabilities enables one to identify vulnerabilities beforehand. When a merge request is submitted, security scans will run it and provide data about the detected vulnerabilities and steps to remediate them.
The Security Dashboard helps view relevant security details of an application succinctly in a unified place. This helps you keep track of trends in vulnerabilities and provides a high-level overview of the status of all the detected vulnerabilities and how to remediate them or how it was remediated by the previous developers. Security Dashboard has the ability to integrate with any third-party scanners. Security engineers can also create and track confidential issues with sufficient permissions using the Security Dashboard.
GitLab Ultimate’s GitLab Secure feature allows security engineers to audit projects based on detected vulnerabilities outlined in the Security Dashboard. So, GitLab Secure and Security Dashboard together enable organizations to ensure that developers are practicing secure coding and track the status of threats if they are not resolved.
SLSA-2 attestation for build artifacts
Supply-chain Levels for Software Artifacts is a security framework that enables you to secure your software supply chain. The new attestation information helps check the purity of your build artifacts.
What the future of DevSecOps looks like – pointers by GitLabs
1. Security will be the highlight of DevOps
Since DevOps and security are no longer two individual teams, more dev and ops teams need security knowledge. Therefore, security will become an essential part of DevOps training in organizations. Basic security knowledge and how to prioritize and address security vulnerabilities will be the focus.
2. Observability will shift left
Observability-driven development seems to be one of the keys to enhancing the DevSecOps approach. Automated code-instrumentation abilities of observability-enabling technology will increase the efficiency of DevSecOps workflows.
3. AI/ML will be integrated throughout the SDLC
Repetitive tasks are tedious, kill developer productivity and increase developer cognitive load. Integrating AI/ML into the SDLC will eliminate all of the above and increase productivity. Developing AI-assisted workflows will help continuously improve systems by ensuring rapid development, test automation, and security remediation.
Security is significant. Organizations understand this but they go about it the wrong way. DevOps and security cannot be removed from each other. Security needs to be less of an afterthought and more of a behavior. And DevSecOps facilitates this exact requirement. With new DevSecOps features, GitLab focuses on prioritizing security and integrity throughout the SDLC. It’s going to be interesting to see how security engineers make use of these features. With predictions aplenty, DevSecOps seems to hold a promising future for cloud-native infrastructure security.