Introduction

In this post we focus on the significance of DevSecOps in ensuring cloud security, emphasizing the need for continuous monitoring and remediation to effectively address vulnerabilities and threats throughout the software lifecycle.
The post also delves into the concept of “shift-left” and “shift-right” security in the context of a CNAPP (Cloud Native Application Protection Platform) solution. It explores how shifting security to the left involves incorporating security measures early in the development process, while shifting security to the right focuses on post-development monitoring and incident response.

DevSecOps in Cloud Security Space

DevOps v/s DevSecOps

DevOps focuses on integrating development (Dev) and operations (Ops) teams to streamline software delivery and improve collaboration. It emphasizes automation, continuous integration and deployment, and rapid iteration.

On the other hand, DevSecOps expands upon DevOps by adding security (Sec) as a core component. It aims to integrate security practices throughout the software development lifecycle, starting from the early stages of development all the way through deployment and maintenance.

The key difference between DevOps and DevSecOps lies in the inclusion of security. DevSecOps recognizes the importance of considering security from the beginning and integrating it into every step of the development process. By doing so, it aims to proactively identify and address vulnerabilities, reduce risks, and enhance the overall security posture of the software or application.

DevSecOps Lifecycle

The DevSecOps lifecycle includes several important tests and activities to ensure security throughout the software development process. This includes:
1. Assessing the threat landscape and conducting impact analysis to identify potential risks and prioritize security measures.
2. Implementing pre-commit hooks, which are automated checks that ensure code quality and security before it is committed to the repository.
3. Utilizing Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools to scan the code and third-party components for vulnerabilities.
4. Performing Dynamic Application Security Testing (DAST) to analyze the application at runtime and identify any security weaknesses.
5. Implementing access and configuration management practices to ensure secure access controls and maintain secure configuration settings.
6. Conducting Chaos Engineering experiments to test the resilience and robustness of the application under stressful and unexpected scenarios.
7. Collecting logs and monitoring various system components to detect and respond to security incidents.
8. Employing Security Information and Event Management (SIEM) solutions to efficiently manage and analyze security events and alerts.
9. Conducting simulated “black attacks” or vulnerability assessments to proactively identify and address any potential security loopholes.
10. Implementing rollback strategies as a precautionary measure to revert to a previously known secure state in case of any security incidents or breaches.

Shift-left and Shift-right Security

Understanding Shift-left and Shift-right Security in CNAPP Context (Code, Build, Run)

The idea is to “fail small, recover quickly” in agile and rapid deliverable software development practice. Therefore, early detection of misconfiguration and vulnerability in app development cycle leads to reduced iterative efforts in maintaining software and faster deployment and release activities.

To make it more simplified, software development lifecycle is linear line that goes left-to-right. The Left half consists of coding and building stage, the other half – right side refers to deploying and operation of the application.

Shift Left Security – Developers practice shift left paradigm proactively to improve security posture of application by identifying and resolving vulnerability and misconfiguration before they propagate in later stages in the pipeline. Shift left is intertwined with evolving phase of DevSecOps, which intended early and continuous security posture management.

Shift Right Security – Modern ways of deployments and deliverables have increased sophisticated attack vectors and attack surface rapidly. Business alleys identify that relying completely on Shift left testing will not guardrail comprehensively from security threats. To shift right means, adapt continuous monitoring, testing and security posture management post deployment or operational workloads in the cloud environment.

Shift right security includes CSPM (Cloud Security Posture Management), KSPM (Kubernetes Security Posture Management), CWP (Cloud Workload Protection), DSPM (Data Security Posture Management), Container Registry Scanning, Malware Protection etc. Collectively, all these are components part of CNAPP solution.

Shift-Left vs Shift-Right Scope

Use case: Code-to-Cloud Visibility

Tools Stack

  • IDE: VS Code
  • Programing Lang: NodeJS
  • VCS: GitHub
  • CI/CD: AWS CodeCommit, AWS CodeBuild, AWS CodePipeline
  • Container Runtime: Docker
  • Container Registry: ECR
  • Orchestration: ECS
  • CNAPP: Prisma Cloud EE

Architecture Landscape

Following architecture diagram show high level flow, developers push code to GitHub Repository (contains NodeJS based application source code) and that will trigger CI Pipeline and will create build artifacts i.e. docker image and those artifacts will be stored in Amazon ECR. In later stage, CD pipeline will be triggered and build artifacts will be deployed to ECS Cluster.

Simplified architectural overview

Sample Vulnerabilities Detection in Code-to-Cloud Across Different Stages

Security Gatekeeping – In Code (Shift-left)

Prisma Cloud plugin is installed on VS Code and integrated with Prisma Cloud EE (a CNAPP solution) which gives real-time visibility about IaC misconfiguration, vulnerabilities, licensing issues and hardcoded secrets within codes. In the screenshot below, vulnerabilities associated with npm packages are discovered and remediation is suggested with fixed versions.

Vulnerability discovery within code

Security Gatekeeping – In Pull Request Review (Shift-left)

Respective CNAPP solutions also provides Code Security which monitors any open or newly created Pull Requests and discovers vulnerabilities associated with it.

Below snippet resembles GitHub open PR review which has high severity vulnerability associated in moment package in package.json file.

Vulnerability discovery in open PR

Security Gatekeeping – In CI Pipeline While Building Artifacts (Shift-left)

It is the third security check-in, when CLI Scanner (i.e. Checkov) scans build artifact before storing to ECRs. It will fail the build phase if any vulnerabilities or misconfiguration issues are encountered.

Vulnerability discovery in CI pipeline

Security Gatekeeping – Runtime Protection in Workloads (Shift-right)

Somehow if vulnerable remediation is ignored or missed in shift-left phase, still it will be under radar as active deployment workloads are monitored in real-time by the CNAPP solutions and give us visibility over non-compliant and vulnerable entities.

Below snippet shows, vulnerable docker image is deployed on ECS cluster and Prisma Cloud platform surface the vulnerabilities within active cluster.

Vulnerability detection on ECS cluster
Vulnerability metadata on ECS cluster