Automated DevOps Security for Hybrid Environments

Bridging the gap between DevOps and SecOps - The Cavirin DevOps Security workflow brings risk security and compliance into code development, staging, and deployment.

the struggle

  • Software development teams want to move quickly to write and implement code while security teams are seen as slowing down the process in order to try and prevent breaches.
  • Infrastructure planning inefficiencies resulting in over-provisioning, counter to demands of agility and cost optimization.
  • Security reviews occur late in the development process as groups operate in silos, creating friction, rework, and potential for error.

DevOps Security Requirements

  • Application developers must follow secure coding practices, and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development process. While InfoSec professionals need to enable the developers to easily utilize “security hardened”, and “fully patched” platforms with mandatory security baselines on which to build the applications.
  • Developers must realize that application security concerns must be “left-shifted”, and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Design, Development, QA, Staging, and Production.
  • The challenge is to ensure that this is possible to go through security process without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal.
Automating the DevOps Security Process (DevSecOps)
Devops Security Inhibits Process - DevSecOps

the solution = DevSecOps

  • Developers provision and manage data center resources through software, effectively an extension of coding that integrates version control and satsifies security concerns.
  • IT administrators have better visibility into software engineering (e.g. Docker DevOps or DevOps on AWS) providing increased flexibility.
  • Security is integrated into this DevOps lifecycle via programmable security controls, automating the security definition, assessment, and enforcement before and after applications become live, and throughout their operational lifecycle = DevSecOps.
AWS DevSecOps, Azure DevSecOps and VMware DevSecOps

Steps to DevSecOps

  • Introduce agility and speed by investing in a hardened tool chain covering the develop-test-deploy-monitor lifecycle of applications and resources.
  • Question everything by creating visibility at every stage of the Continuous Integration/Continuous Delivery (CI/CD) devops pipeline.
  • Bring security as a fundamental, and non-negotiable acceptance criterion early in the development process, in other words, “left shift” security.
  • Suspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
  • Promote often, and promote confidently through Design, Development, QA, Staging, and Production.
  • And, finally automate, automate, automate.
Security DevOps
Security DevOps
Security DevOps

DevSecOps - When "Infrastructure as Code" Meets "Security as Code"

"It should be apparent that "infrastructure as code" and "security as code" are powerful if adopted together. There is a natural confluence of these two, which calls for a harmonious engagement between the various roles and systems at play.

Ravi Rajamiyer, VP Engineering, Cavirin 

Take a DevOps-first Approach to Security that Leverages Containers

"Implementing a DevOps-first approach to their workloads can drive additional competitiveness and create a more secure environment. With the tools and automation available, the midmarket should be among the most eager to evolve based on more limited budgets and expertise."

Pravin Goyal, Director of Information Security and Compliance Engineering, Cavirin 

Developed specifically for enterprise Cloud and Container environments

AWS
Google Cloud Platform
Microsoft Azure
Docker

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.