Vulnerability Risk Management as DevOps Practice

Silos exist in all levels and all types of organizations. Different teams naturally have different priorities, methodologies, and more, though it can be argued that more collaboration can improve the efficiency and effectiveness of the company as  a whole. This can be seen especially within IT Teams as well, particularly the development and operations teams. Despite the silos, if there’s one thing both development and operation teams can agree on, it’s faster deployment cycles and improved security. Baking in a collaborative approach into the entire development cycle seems to be the answer, and a happy middle ground for all involved. In short, DevOps (with security baked in) just might be the answer.

What is DevOps? A portmanteau of “development” and “operations,” DevOps is an approach to accelerating software application release and increasing release frequency — by requiring collaboration and integration between software developers and IT operations.

What are the Benefits of adopting DevOps practices?:

  • Development = You see your fixes and especially your new features in production much faster (and more stable!)
  • QA / Testing = You get testing done in a more consistent and automated basis, so you know if work before things go into production
  • Operations = Operations get to work closely with the Development and QA Teams, and maintain the stable production environment, which is always good from an operations standpoint =)
  • DevOps Adoption is growing because of the increased efficiency and stability in production its practice affords.

Throw it over the wall

Development and Operations teams have several differences, which could explain the “throw it over the wall” or “it’s your problem now” mentality. Here are the key differences:

  • Change vs. Stability = Different priorities
    • Development = Change (New releases all the time!)
    • Operations = Stability (New releases can make a mess of things…)
  • Different tools = They can have tools in common, but the differences are enough to introduce pain points between the teams, especially during releases/deployment
  • Release/Deployment
    • Developer: “It worked in my machine”
    • Admin: “But it’s broken in production”
  • Work duplication = Inefficiencies
  • Not security-centric = No one is talking about security — which results in organizations having such a hard time preventing, finding, and fixing vulnerabilities

Common Tools

Shifting the culture in any organization is challenging, but one way to do it is to start with having a common set of tools to increase efficiencies. Despite the differences, we all want the same great results at the end of the day: a well-functioning production system for our customers or our users.

  • Automation tools
    • Configuration
    • Management: Ansible, Puppet, Chef
    • Orchestration: Jenkins, MS SCCM
    • Integration:
      • Ticketing
      • Workflow Management
  • Embed vulnerability management

Embedding Vulnerability Management

DevOps also involved a shift in the mindset when it comes to cybersecurity. IT Security has traditionally been isolated, but many practitioners and experts in the field have seen the enormous benefits of integrating security process within the entire development life cycle. The collaborative model is one of the models that is widely used:

  • Collaborative Model
    • Automation
    • Remove duplicates/redundancy
    • Remove false positives to increase trust
    • Re-prioritize vulns based on risk
    • MS SCCM, Chef, Ansible, Puppet, SaltStack
  • Continuous Integration (CI) and Continuous Delivery (CD)
    • RESTful API integration

NopSec’s cloud-based, vulnerability risk management SaaS platform, Unified VRM, is one such platform that can help DevOps teams make security a part their process. The platform facilitates workflow orchestration, and with its breakthrough E3 Engine, it removes noise from your vulnerability data (duplicates, false positives, useless data, etc), then prioritizes them for a holistic view of your risks.

Example Use Cases

Here’s a great use case for a DevOps adoption:

Background:

  • Company would like to compare the results of VM and patch application
  • Deploy patches or reconfiguration to fix identified vulnerabilities across a wide range of hosts
  • Security department collaborating with different sysops and devops to fix identified vulnerabilities
  • Company conducts its security testing as part of its regression testing

 

Approach:

  • Compare the results of vulnerability scan with MS SCCM patch application to assess the need to reboot hosts / reapply patches.
  • Use automation capabilities of ansible and puppet to deploy patches and configuration changes across a wide IP range
  • Connect with external ticketing systems. Chat and collaborate across departments. Assign tickets and tasks across departments enforcing accountability
  • The CI loop integration tool (Jenkins) calls vulnerability management tool via a RESTful API to launch and report on the scan.

Conclusion

  • DevOps offer many benefits in development, QA, and operations
  • Collaboration between Development and Operation teams is possible
  • Being security-centric for both teams is very important:
    • Improved Security
    • Defense in Depth
    • Simplified Management
    • Separation of Duties
    • Regulatory and Audit Compliance
    • Automation and collaboration

To learn how NopSec can help secure your organization’s networks (internal, external, cloud, wireless), configurations, and applications, contact us at 646-592-7900 or fill out this form.