Software development within the federal government often begins with an alignment to the Authorizations to Operate (ATO) and related, required security processes. Sometimes, these are an impediment to DevSecOps. So how can teams implement sound DevSecOps into an environment with strict controls and processes?
Hasan Yasar works in Secure Lifecycle Solutions at the Software Engineering Institute at Carnegie Mellon University (@securelifecycle). They are working on implementing Continuous Authorization as a more secure and DevSecOps-friendly process. He presented on this topic in Continuous Authorization With DevSecOps at the All Day DevOps conference.
Hasan began by making the case for DevOps, including covering four fundamental principles:
- Infrastructure as Code (IaC)
Implementing these well is the goal of DevOps. Continuous Authorization is another evolution in the process. Continuous Authorization “changes the perspective of authentication from an event to a process”, says Frank Dickson, a research director at IDC, a global market intelligence firm. Dynamic authentication examines attributes that change and continually looks to validate the authentication.
Continuous Authorization makes systems more secure because it:
- reduces errors during development;
- provides continuous feedback and monitoring;
- is always available;
- is repeatable;
- reduces time to deploy and resolve errors;
- and is responsive to business needs.
Continuous Authorization eliminates the error-prone human checking through the pages-long Excel spreadsheet of security requirements. It also continuously monitors the system to ensure compliance with the requirements.
Applying Continuous Authorization to DevOps
Applying Continuous Authorization begins with seeing the application lifecycle through the DevOps mindset. This includes security automation with IaC, Continuous Integration, and Continuous Deployment. Hasan illustrated how Continuous Authorization integrates at each step in a DevOps Factory.
The DevOps Factory runs from feature request to deployment. It is iterative and incremental development, includes automation in every phase, provides continuous feedback, metrics, and measurement, is transparent and traceable, and engages with all stakeholders.
Hasan walked through how Continuous Authorization plays out in each phase of DevOps.
For instance, at the beginning, the feature request, it provides organizational awareness and knowledge, insight into common attack vectors, vulnerability management, and a security development plan. At architecture and design stages, it verifies and validates security design and data privacy. At testing it validates security features, and at delivery it provides pre-approval, checks dependencies, validates incident responses, verifies the environment, and audits data access, rights, and content. It is baked into each step. Hasan points out that it provides security from inception to deployment and improves with every delivery.
The federal government developed a standard for this process. It is the Risk Management Framework (RMF), based on NIST 800-37. Hasan states that the RMF, “provides a disciplined and structured process that integrates information security and risk management activities into the system development lifecycle.”
It is a continuous process - a key requirement for DevOps - that has six steps:
- Categorize the information processed, stored, and transmitted
- Select an initial set of baseline security controls
- Implement the security controls
- Assess the security controls to ensure they are implemented correctly
- Authorize the operation
- Monitor the security controls on an ongoing basis
Adhering to the RMF by using Continuous Authorization is covered in more detail in Hasan’s full presentation, below.
Register for the next All DayDevOps, November 6, 2019. It will be a day to discuss security, CI/CD, cloud native infrastructure, cultural transformation, site reliability engineering, and other interesting topics.