When you think about the DevOps term, generally you think about a faster delivery
of some technologies like containers or cloud for example. But one thing people
don’t pay attention is about the security involved in these operations.
The term DevOps is largely know around the world, even though it is a “new” term. What about when we talk about the DevSecOps term? Have you ever heard about?
Are you and your company being cautious and taking care about the security on the DevOps tools and procedures?
Generally the security reviews are on the end of producing cycles, and this may not be the most effective way. Every time it is more needed that we put all the teams together:
Development, operations and security team.
Sometimes we need to create security practices that must be put in use straight from the beginning of the production cycle. This must be looked like a new philosophy to help all the operations making the most efficient delivery. The most important thing on this transformation is to make us all understand how each team works. Understanding all the processes and best practices are the key to best apply your knowledge on all operation process.
We can use Docker as an example to work the best practices:
First thing we need to consider when using Docker, is the host machine. With a shared kernel, you need to provide the security, beginning from the the host machine. Once the host is compromised, all the processes are compromised as well.
Don’t forget that the container is just a process inside your host machine. The main step to provide the security on the host is to keep the system up to date and corrections patched.
Know the container's layers!
It’s very important to know what’s running in each layer of your container. You need to ensure that the third-party vendors will not download and run something deliberately without your knowledge.
Be sure that you know the source of your images. The best tip is: Build your own code!
Even for your own images, you need to use some method to ensure the authenticity of a entity that will publish the container, like a public key mechanism.
The Docker Store is a good place to look for images. Don't forget that anyone can put their code on Docker Hub.
Limit your container system resources. The best way of doing this is using an orchestrator, like Kubernetes, Swarm and others. Those orchestrating systems can be used like a real time monitor, delivering you some graphs and logs to help your administration. So be proactive!
Do not use a super-privileged mode. Doesn’t matter the security level you provide to your infrastructure, if you don’t care about root access user on your containers, it’ll not guarantee the container isolation and will put all your environment at risk. Be careful with your protected resources!
Security will always be the best path..