With the maturation of DevOps, the growing concern around the security and compliance of more agile application development systems has made 2018 the year for DevSecOps. According to a study by Gartner, over 80% of development teams will have embedded DevSecOps by 2021. When evaluating how a WAF solution can fit in to a DevSecOps model, it’s important to understand the background of security challenges that make DevSecOps a necessity.
Security Challenges of a DevOps Environment
DevOps is rapidly changing the components involved with application development—whether we look at configuration management tools like Puppet and Chef to deploy and provision test and production environments, or the quick spin-up and spin-down of applications through containers and microservices. These tools offer many ways to achieve development agility to speed up the delivery of products and services. However, this level of programmability also poses several security challenges.
The first challenge is the question of how production code is being checked and controlled for security threats like open user access and open source code vulnerabilities. With a highly agile production process, security architects want to know, “what kind of controls are we putting in place? What quality gates do we have?” The issue of compliance becomes particularly murky when we talk about architectures that leverage microservices. While disaggregating code development at the functional level makes for faster feature churn, it introduces new complexity when points of control and user access are distributed among multiple API endpoints, and hence widens the scope of application vulnerability.
The second is that with a high level of programmability, security teams need to keep up with the speed at which production code is deployed. A customer quote at AWS re:Invent 2017 summed this up: “If your applications teams are DevOps and you’re not practicing DevSecOps, your security practices are a bottleneck.” If there are a lot of processes to approve policies and practices, if your WAF’s capabilities cannot be scaled out and consumed through APIs, this can become a hindrance to achieving development agility.
When looking at DevOps environments, there are three areas to evaluate when choosing a WAF that fits in a DevSecOps model:
- Development—How do I install and integrate security faster?
- Operations—How do I centralize points of control?
- Management—How do I push policies and configurations programmatically?
In short, DevOps-ready WAF solutions offers simplicity in user experience at every step of the security process—starting from setup to consumption to maintenance.
DevSecOps with Imperva WAF
With our version 13.0 release for SecureSphere WAF, achieving operational simplicity has never been easier. We’ve tackled these DevOps challenges by offering a WAF solution that allows you to:
- Automate first-time setup and deployment of WAF settings
- Consume advanced security services programmatically through expanded API support
- Leverage checkbox solutions for SSL configuration and compliance
- Manage software patch upgrades and version rollback from a single location
Additionally, our cloud-based Incapsula WAF offers full API support for all features and can be readily leveraged in DevOps environments to front-load balancing and DDoS protection. With a full-fledged application security solution that can be readily programmed through APIs, Imperva WAF can allow you to securely transition to a DevOps environment while maintaining operational agility. Learn more about our SecureSphere and Incapsula WAF solutions today.