Uncover hidden risks

Watch how the Wiz platform can expose unseen risks in your cloud environment without drowning your team in alerts.

DevOps Security Best Practices

20 essential security best practices every DevOps team should start with

7 min read

DevOps Security: A refresher

DevOps security is an approach that integrates security practices within the DevOps process from inception through development, deployment, and operations. It breaks down traditional silos between development, operations, and security teams, promoting a culture of security across all phases of the software development lifecycle (SDLC).

In its early stages, DevOps focused primarily on integrating development and operations teams to improve the software development process. Over time, the scope of DevOps expanded to include security (especially when it comes to cloud platforms like AWS, Azure, and Google Cloud), giving rise to the term "DevSecOps." This integration marks a significant paradigm shift, emphasizing a comprehensive approach where security measures, championed by dedicated security teams, become an integral part of the DevOps process rather than an afterthought right before deployment.

AWS DevOps security best practices, Azure DevOps security best practices, and Google Cloud DevOps security best practices all emphasize the importance of proactive security measures.

These practices are vital not just for the security teams but for the DevOps team as a whole, ensuring a seamless integration of security into the DevOps pipeline. But proactively addressing security is just the first step. Let’s take a closer look at two equally important DevSecOps concepts:

Shifting left

In security, ”shifting left” refers to incorporating security measures early in the DevOps pipeline, ideally during the development phase. This approach emphasizes fast detection and resolution of vulnerabilities, which can significantly reduce the risks associated with security breaches in the later stages. Simply put, by shifting left, teams can promptly identify and address security issues, fostering a culture where security is everyone’s responsibility from the inception of a project.

Democratizing security

Democratizing security refers to the collaborative approach discussed above where every team member—not just the security experts—is responsible for maintaining security standards. This collaborative approach breaks down traditional silos and cultivates a culture of collective vigilance, essential for protecting DevOps environments across all stages, including the production environment.

Best practices and recommendations

With the agility and speed that DevOps brings, security remains a paramount concern. The following sections delve into specific areas of DevOps security and their associated best practices.

Below we cover DevOps security best practices in areas like:

Cloud security

Cloud environments, while offering scalability and flexibility, have unique security challenges. These include data breaches, misconfigurations, and inadequate access controls. It's essential to understand the shared responsibility model when working with cloud providers and ensure that both parties are clear about their respective security responsibilities.

Actionable items

  • Implement cloud security posture management (CSPM) tools: Platforms such as Microsoft Defender for Cloud visibility into cloud environments and help detect misconfigurations, ensuring compliance with security policies.

Figure 1: Microsoft Defender for Cloud overview (Source: Azure Docs)
  • Adopt a zero-trust security model: Ensure every access request, regardless of origin, undergoes strict identity verification and validation, minimizing the chances of unauthorized access.

  • Regularly review and refine cloud configurations: Misconfigurations are a leading cause of data breaches in cloud environments. Regular audits can help identify and rectify these vulnerabilities promptly.

Secrets management

Secrets management is crucial for securely handling sensitive information like API keys, database credentials, and other secrets. Mismanagement or exposure of these secrets can lead to serious security incidents, compromising systems and data.

Action items

  • Adopt a centralized secrets management solution: Platforms like HashiCorp's Vault or AWS Secrets Manager allow for secure storage, access, and rotation of secrets, ensuring they're not exposed or mishandled.

Figure 2: Vault UI Dashboard (Source: HashiCorp Docs)
  • Rotate secrets regularly: By changing secrets at regular intervals, you can reduce the window of opportunity for an attacker to use a compromised secret.

  • Avoid hardcoding secrets in code: Always use environment variables or secrets management platforms to inject secrets into applications, ensuring they are not exposed in the codebase or version control systems.

Version control

Version control systems are a pivotal means of tracking changes to code over time, allowing for collaboration and rollback functionalities. They are the backbone of modern software development processes, maintaining code integrity and facilitating teamwork. Beyond these core functions, implementing version control also acts as a protective layer, minimizing the risk of inadvertently exposing sensitive data and providing strong defensive measures against potential security threats to the application.

Action items

  • Use platforms like GitHub or Bitbucket: These platforms offer robust version control systems that help teams track and manage changes efficiently.

Figure 3: Kubernetes GitHub repository
  • Regularly audit commit history for sensitive data: Periodic audits can help identify and rectify instances where sensitive data might have been inadvertently exposed.

  • Use .gitignore to exclude sensitive files: To specify the files and directories that should be excluded from version control, take advantage of .gitignore. By excluding particular files, you can prevent the accidental upload of sensitive information:

# .gitignore file
secret_config.yaml
.env

Utilize pre-commit hooks: Set up a pre-commit hook to further ensure that secrets are not inadvertently committed to your VCS repository. Navigate to the .git/hooks directory in your repository and create or edit the pre-commit file. Here's an example that checks for the presence of the word "SECRET" in your files:

#!/bin/sh
if git diff --cached | grep 'SECRET'; then
    echo "Error: Found secrets in your changes. Please remove them before committing."
    exit 1
fi

Automated testing

Leveraging scripts and tools to perform tests automatically helps identify vulnerabilities at an early development stage. Automated testing not only accelerates the feedback loop but also ensures consistent and repeatable validation of code changes, enhancing the overall quality and reliability of the software.

In the broader context of software development and delivery, automated testing serves as a cornerstone for continuous integration and continuous deployment (CI/CD) practices. By automating tests, development teams can seamlessly integrate new code into the main branch without the fear of introducing defects. This continuous testing, combined with automated build and deployment processes, paves the way for faster release cycles and ensures that the end users always have access to the latest, well-tested features. As businesses strive for agility in the rapidly evolving tech landscape, the significance of automated testing in achieving quicker time to market cannot be overstated.

Action items

  • Integrate tools like OWASP into CI/CD pipelines: OWASP, which stands for the Open Worldwide Application Security Project, offers a comprehensive set of resources and tools designed to identify and address web application security risks. By integrating OWASP into your CI/CD pipelines, you can proactively detect security vulnerabilities in the application and ensure you're in line with DevOps security monitoring best practices.

Figure 4: OWASP dashboard (Source: OWASP)
  • Regularly update and refine test cases: Outdated test cases lead to missed vulnerabilities. That’s why it’s a good idea to schedule time to review and refine your parameters.

Dependency management

In software development, dependency management is the disciplined approach to identifying, documenting, and maintaining a list of the software dependencies a project relies on. Vulnerable dependencies can compromise an entire application, making it susceptible to security breaches. Take these steps to ensure that all dependencies are up to date and secure:

Action items

  • Use tools like Dependabot: These tools automatically identify and update vulnerable dependencies.

Figure 5: Dependabot on GitHub (Source: GitHub Blog)
  • Regularly review and update dependencies: Establish a routine to review and update dependencies to the latest secure versions.

Container security

Containers are a technology that package an application and its dependencies together, facilitating consistency across various environments. The downside is they can harbor vulnerabilities, making container security an important focus of DevOps. Implementing container security practices ensures the containers are secure and resilient against potential attacks.

Action items

  • Regularly scan container images: Tools such as Clair can help identify vulnerabilities in container images:

# Example of Clair analysis report 
$ clairctl report ubuntu:focal
ubuntu:focal found bash        5.0-6ubuntu1.1         CVE-2019-18276
ubuntu:focal found libpcre3    2:8.39-12build1        CVE-2017-11164
ubuntu:focal found libpcre3    2:8.39-12build1        CVE-2019-20838
ubuntu:focal found libpcre3    2:8.39-12build1        CVE-2020-14155
ubuntu:focal found libsystemd0 245.4-4ubuntu3.2       CVE-2018-20839
ubuntu:focal found libsystemd0 245.4-4ubuntu3.2       CVE-2020-13776
ubuntu:focal found libtasn1-6  4.16.0-2               CVE-2018-1000654
...
  • Use minimal base images and remove unnecessary components: This practice reduces the attack surface by limiting the elements that can be exploited.

Infrastructure-as-code (IaC) security

Infrastructure as code (IaC) is a modern practice that allows for the automated setup, configuration, and management of servers and other infrastructure components using code templates. This code can be versioned and reviewed just like any other codebase. However, it can sometimes introduce misconfigurations, which may expose applications to threats. Follow these recommendations to integrate security checks into IaC processes and maintain a robust security posture:

Action items

  • Use tools to scan IaC templates: Checkov and Terrascan can help identify potential security issues in your IaC templates.

Figure 6: Terrascan GitHub Action integration (Source: Terrascan Docs)
  • Regularly review and refine IaC templates: IaC templates define the desired state of infrastructure components, making them blueprints for your environment's setup. By reviewing these templates periodically, you can catch and fix any misconfigurations or outdated practices.

Access control

Access control defines who can access which resources in a system, ensuring that only authorized individuals have permissions for critical resources. Implement stringent access control measures to safeguard sensitive data and prevent potential data breaches:

Action items

  • Implement role-based access control (RBAC): Role-based access control (RBAC) provides a structured method for assigning permissions based on an individual's role within an organization. By utilizing RBAC, administrators can ensure that users only access the resources and perform the tasks that align with their specific roles. This method minimizes the potential for security breaches by limiting unnecessary access.

# Example Kubernetes RBAC policy to access pods read-only in database namespace 
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: database
  name: pod-viewer
rules:
- apiGroups: [""] 
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  • Regularly review and update access permissions: As organizations grow and evolve, roles and responsibilities can shift, leading to changes in who should have access to specific resources. Periodic reviews of access permissions ensure that only the appropriate individuals retain access rights, thereby reducing potential security risks. You can prevent unauthorized access due to outdated or overly permissive settings by staying vigilant and updating permissions in line with organizational changes.

Going beyond the basics

When it comes to DevOps security, the landscape is always evolving. New challenges and solutions emerge continually, and it’s a good idea to go beyond fundamental best practices.

Want to level up even more? Schedule a Wiz demo, and see for yourself how we’ve consolidated our industry-leading DevOps security solutions into a single platform.

Security Built for Devs and DevOps

Learn why Wiz is one of the few cloud security platforms loved by both security and DevOps teams.

Get a demo

Other security best practices you might be interested in:

Continue reading

Azure Security Risks & Mitigation Steps

Wiz Experts Team

This article offers an extensive examination of Azure environments’ most pressing security risks along with suggested approaches for effectively mitigating these challenges.

Remote Code Execution Attacks Explained

Wiz Experts Team

Remote code execution refers to a security vulnerability through which malicious actors can remotely run code on your systems or servers.

Understanding Cloud Security Risks

Wiz Experts Team

A cloud security risk is any threat that might impact the confidentiality, integrity, and availability (CIA) of data and applications hosted in the cloud.

Cloud Sprawl Explained

Wiz Experts Team

Cloud sprawl is a phenomenon that involves the unmanaged growth of cloud-based resources and services.

CSPM vs DSPM: Why You Need Both

Wiz Experts Team

Discover the similarities between CSPM and DSPM, what factors set them apart, and which one is the best choice for your organization’s needs.

Container monitoring explained

Container monitoring is the process of collecting, analyzing, and reporting metrics and data related to the performance and health of containerized applications and their hosting environments.