Organizations must embed cybersecurity throughout their entire DevOps pipeline in order to work in the cloud at scale, AWS experts agree. It's a responsibility that should be distributed throughout an organization and shared between AWS and its customers as well.
Just don't call it DevSecOps.
In his AWS re:Inforce keynote, Stephen Schmidt, AWS chief information security officer, framed DevSecOps as an essential part of the AWS security process, though he and others dispute the name.
"What I really object to is this notion that some people have that there is security, development and operations, and they're separate," Schmidt said in an interview. "There's no situation where we should be developing anything without security in mind. There's no situation where we should operate anything without security in mind."
An evolution of DevOps, DevSecOps is an approach that tackles the unique challenges of cloud security at scale, in a market with a serious security skills shortage. Essentially, there is more to secure now than ever and fewer people who know how to do it. A DevSecOps process emphasizes security responsibility throughout an organization's teams and automates security in every part of development and operations.
Let's clear the air around DevSecOps with AWS -- the name, the process and how it fits with cloud security.
No, you don't have to call it DevSecOps
Many see DevSecOps and DevOps as one and the same. Ultimately, it doesn't matter what you call it, as long as you practice it.
In their AWS re:Inforce talk, "It's in my backlog: The truth behind DevSecOps," Randall Brooks, engineering fellow at Raytheon, and Shawn Harris, managing principal security architect at Starbucks Coffee Co., agreed with Schmidt's point in his keynote. When DevOps first started, security was included in the ops, they explained, but the race to integrate development and operations together in CI/CD pipelines relegated security practices to the back burner. DevSecOps doesn't shove security between development and operations but, again, emphasizes security practices and responsibility through everything an organization does, they said.
Organizations can call their process whatever they want, as long as they enforce security throughout, said Rich Mogull, a re:Inforce attendee and VP of products at DisruptOps, a security platform for multi-cloud infrastructure. Organizations don't necessarily need a DevSecOps team, especially if it's just another team thrown between development and operations. However, organizations should have a security automation team -- call it whatever you want -- that streamlines compliance and security practices for every step of the CI/CD pipeline, he said.
Likewise, while using AWS doesn't require customers to operate with a DevOps or DevSecOps team, organizations with siloed development, operations and security teams won't get the most out of the platform, Schmidt said.
DevSecOps with AWS
AWS has tried to address the cloud security issues that have arisen due to scale and the security skills shortage with features and services that simplify security and compliance posture. However, organizations can't do DevSecOps by simply opting in to AWS security defaults and its bread-and-butter security services, such as Identity and Access Management, Key Management Service and Security Hub. Ultimately, organizations are responsible for their own DevSecOps approach, Mogull said.
Under its shared responsibility model, AWS guarantees the security of its cloud platform, from regions and availability zones to core services, such as compute, storage, databases and networking. But AWS customers must ensure security for what they configure and operate on top of that infrastructure, such as encryption, firewall configurations, and identity and access management.
AWS provides customers some of the tools to do DevSecOps. Many AWS services include helpful security defaults, such as a built-in firewall for EC2 VMs and a setting to block S3 public access. Amazon also offers cloud security services, such as Amazon Inspector, which checks for proper configuration of your Amazon resources, and Amazon GuardDuty, which looks for behavior of instances that goes against AWS' best practices.
DevSecOps in AWS requires custom automation based on collaboration between developers and security engineers. Organizations must integrate security and eliminate siloed approaches. This means automating security practices as AWS Lambda functions and incorporating API calls and CloudWatch events, Mogull said.
The best way to get good code is to have developers on call when their code breaks, Schmidt said. This requires a cultural shift within organizations that AWS can push for but not force.
Brooks and Harris suggested a few ways organizations can kick-start this culture shift. They can embed application security engineers into development teams or have security engineers train developers interested in security and reward these developers as "security champions." From there, developers can start to automate static code analysis with Lambda.
Security standards, policies and testing core to DevSecOps