Security Strategies for DevOps, APIs, Containers and Microservices
More and more IT professionals see DevSecOps, a practice which integrates security measures earlier in the development process to improve production code quality, as a mainstay for future application development.
Much of this stems from the growing trend towards speeding up application development through adopting architectures using DevOps, containers and microservices, as well as supporting automation toolchains and frameworks. This trend presents an opportunity for cybercriminals, who are increasingly turning their attention to security gaps and vulnerabilities in these types of environments. Given the speed and volume of development today and the greater complexity of the environment, it’s never been more important to make DevSecOps a priority.
Whether your role is CISO, developer, security architect, operations engineer, or a different member of the DevOps team, it is important to understand how to take a proactive and preventative approach for application security in these new environments. In particular, this means focusing on:
- Securing environments using APIs
- Implementing continuous security
- Adopting evolving security practices
- Securing sensitive data
- Maintaining current best practices for application vulnerabilities
Read on to learn more about these five security strategies.
#1: Learn How to Deploy Your Application Security to Environments Using APIs
Web application firewall (WAF) solutions become even more critical for modern application environments, as they add specialized security capabilities that complement components like API gateways, which only inherently perform basic functions of this filtering. To ensure API security, a WAF solution is needed for inspecting the incoming and outgoing HTTP/HTTPS as with any other web application and provide capabilities such as profiling, blocking attacks, bot and DDoS protection, preventing account takeover and more. Read more about what Imperva can do for API security here.
Your WAF should also help secure applications and data in the new application environment, with automatic deployment anytime new services or containers are provisioned.
#2: Implement Continuous Security
A challenge for security teams is to develop secure software while establishing proper security practices that don’t create bottlenecks in the development process and potentially impact time to market. This requires solutions designed to integrate easily and seamlessly into a DevSecOps workflow.
Continuous, Automated Security
DevOps commonly uses a practice known as Continuous Implementation-Continuous Deployment (CI-CD) (Figure 1), which tightly couples the development and launch processes to push out features and applications. From a security perspective, this means that the operational aspects of managing your WAF solution should be automated and templatized, such that your security can be easily scaled out. So, regardless of whether you spin up a new server, deploy a new application, or move an existing service from one server to another, the security policies and provisioning layer linked to that service are automatically deployed.
Programmability of your security solution helps it scale automatically and support rapid deployment of security resources as new applications and microservices are deployed. Leveraging cloud-specific templates such as AWS Cloud Formation or Microsoft Azure Resource Manager (ARM) when integrating your security solution can be one way to achieve this type of auto-scaling in your cloud environment.
Figure 1: The process of Continuous Integration-Continuous Development (CI-CD) is an interlocked workflow commonly used in DevOps to build and deploy applications
#3: Insist on Security Solutions That Continue to Evolve
It will be difficult to implement the previous strategies and continue to evolve your security stance unless the security solutions you use are also evolving to keep pace with new application environments and tools.
For instance, modern application approaches and infrastructure—including DevOps, APIs, microservices, public cloud, containers and more—require security solutions that are designed to deliver:
- High availability: All of your solutions should ensure stable business continuity by allowing your organization to protect sensitive web applications without introducing excessive IT overhead or blocking legitimate web traffic.
- Integration: Choose security solutions that support appropriate, automated toolchains and other orchestration techniques used in DevOps, so that as new applications, instances and containers are deployed, security functions are implemented automatically, whenever and wherever they are needed. This typically requires exposure of capabilities via APIs that support DevOps workflows, cloud deployment, and orchestration.
- Feature/function parity: Your solution should be agnostic to whether applications are deployed across public and private cloud, containers or on-premises. This allows you to transition traditional development to agile DevOps without compromising security.
- Centralized management: Manage on-premises and cloud gateways from a single management console to consolidate and simplify security for hybrid cloud deployments.
#4: Secure Your Data
While most of the focus in DevSecOps is on the application and infrastructure, don’t lose sight of the data. Data security becomes even more critical as the applications and infrastructure become more distributed, with complex interdependencies that potentially span services, APIs, containers and clouds.
One way to protect your data in this increasingly complex application ecosystem is with a data-centric audit and protection (DCAP) solution. A DCAP solution helps you protect data in databases, file stores, and big data repositories with real-time monitoring, auditing, and security and rights management.
With a DCAP solution, you can:
- Analyze all database activity in real time. You can monitor all users who access the database, whether through a browser, a mobile app or a desktop application.
- Take action to avoid compromise and data loss, such as blocking access to sensitive data based on security policies.
#5: Keep Doing What You’re Doing
While application development and architecture practices are changing, the same web security vulnerabilities continue to threaten DevOps environments and hence gold-standard security best practices are still relevant. Your attack surface may be larger if you’re exposing APIs, as code is likely deployed far more frequently—including third-party software and services you may have in your stack, which increases your risk and pace of vulnerabilities being introduced.
For all of these reasons, your organization should continue to focus on:
- Reducing your attack surface by hardening your infrastructure and services
- Ensuring confidentiality by encrypting communications and data at rest
- Enforcing granular access control
- Filtering malware and blocking known bad traffic
- Monitoring and detecting anomalous behavior to prevent all types of attacks, including: distributed denial of service (DDoS), abuse of functionality, access violation, exploit and more
- Auditing access and events with logging and analysis
Integrate Security into Your Workflow
Today’s applications, services and APIs are attractive targets for cybercriminals looking to gain access into your environment. Managing and securing new application ecosystems requires applying the same security best practices as in the past, but also using solutions built to handle today’s environment.
To learn more about how Imperva solutions can integrate into your DevSecOps workflow, download our ebook: “Five Security Strategies for DevOps, APIs, and Microservices“.