NIST’s DevSecOps guidance: This is what you should know
The NIST DevSecOps guide publication critically highlights technical security rudiments for industry-level DevSecOps integrating with cloud-native applications based on microservices.
Cloud adoption has crept into the deeper interests of decision-makers at the US government. Cloud adoption is moving rapidly, and although government bodies had a reasonably good grasp of it before, they are now moving into non-superficial implementations, as were private companies.
The Department of Commerce, courtesy of delegated executioners, the National Institute of Standards and Technology (NIST), has moved to provide a secure coding best practices framework to guide the improvement of innovation.
The NIST, formerly the National Bureau of Standards, is known chiefly for physical sciences that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. Its specialty that is most relevant to the subject matter is secure coding – reducing vulnerabilities in the code written.
Following its innovative endeavors, the NIST, in collaboration with former US Air Force Chief Software Officer Nicholas Challain, and renowned service mesh Tetrate, has collaborated to piece a concise handbook released on September 2021. The book highlights primitive approaches to integrating nist DevSecOps with microservices-based architecture.
To fully utilize the potential of the current cloud environment and measure up to counterparts, companies must improve and scale the way they build applications.
Traditional architecture is now lagging in the pace at which they build, run and improve. Cloud-native application development is a way to handle the former using familiar techniques and technologies relevant to cloud computing.
Microservices are a breakdown of loose components that make up cloud-native applications. These cloud-native applications are built on zero-trust security concepts because they require automated quick and secure update techniques that do not hamper business pace.
They give organizations good business value with continuous development and automated configuration experience over private, public, and hybrid clouds. In context, they require a different software life cycle paradigm compared to basic single and multi-tier applications.
A compatible paradigm that delivers agile and secure development, delivery, and deployment in accordance with the basic requirements for microservices-based applications can be found in DevSecOps (Development, Security, and Operations) orientation of primitives.
NIST’s draft titled “Implementation of DevSecOps for a Microservices-based Application with Service Mesh (800-204C)” detailed the typical compatibilities of microservices with DevSecOps on account of certain primitives and other crucial walkthroughs to optimize cloud-native applications through a reference platform. In summary, it illustrates how to minimize time delays and improve security.
DevSecOps implementation for the reference platform
The reference platform is recommended to be a typical container orchestration platform, in this case, Kubernetes. As detailed in the guide, the world-renowned and most sought-after corner orchestrator introduced by Google in 2014 is the best.
Through the selection of varying pods for selective purposes, Kubernetes can be deployed on physical or virtual applications. With node groups and hosting pods, workload distribution for microservices to support load balancing and scaling is highly viable on Kubernetes.
The service mesh deployment comes in when considering the liabilities of the Kubernetes platform. The two major components of service mesh architectures are the data and control plane.
The control plane is responsible for performance metrics such as key and certificate management and, inbound/outbound connection management. In contrast, the data plane handles security functions such as secure networking, policy enforcement, traffic, and performance observability.
The performance and security concerns of Kubernetes are significant liabilities in this context. Handling traffic segmentation across different types of pods to prevent round robin is a considerable challenge. However, service mesh software’s capability to take charge of routing and observability propensity to bypass such challenges on cloud-native applications.
Key takeaways for field applications
DevOps is littered with security incompetencies. Traditionally, it is bereft of mechanisms for systemic testing and integration of security controls. Real-time posture checks are also not an option for DevOps due to the low threshold potential. NIST’s new standards focus intensely on limitations that come with cloud adoption risks to promote operation development.
Security is a major concern in this corner, given how vulnerable DevOps stand and how various cloud infrastructures have been exposed to antagonism (Just google “s3 breaches” to understand the seriousness of the situation).
Any scale of threat action tends to thrive due to major incompetencies inherent in the code, majorly misconfigurations. This is owed mainly to the staggering scale between the quantity of demand and the low quantity of competent personnel.
The cybercrime industry is thriving at a record high, with the cumulative GDP of its economy predicted to tower that of many developed nations ($6 trillion) – only the United States and China would stay in the lead. The majority of these figures emanate from cloud computing, thanks to COVID-19 triggering a high trajectory in its adoption.
The guide strongly recommends the need to evolve from DevOps to NIST DevSecOps. Though many professionals would prefer to argue that there is no difference, as they would continuously optimize business security, this is not the same across the workforce. The less experienced workforce is not well-versed in vulnerability reduction from the base level.
DevSecOps implements security in between workflows as opposed to NIST DevOps only doing that in eventuality. DevSecOps implements security testing in the CI/CD pipelines, and the pipeline is fully managed and protected from compromise. The guide also implies that pipelines should be viewed in higher capacity, and the pipelines should be a feature in the various stages of the code routing.
Image Source: https://www.nist.gov/
NIST recommends that CI/CD pipelines’ capability to operate automatically and its support for rapid deployment is not a reason to eliminate manual intervention.
NIST DevSecOps and Rapid Delivery require a significant amount of automation. However, setting the scale of automated preferences might be challenging. In a bid to reduce time delay on recurring events, NIST recommends that compliance-oriented tasks, repetitive tasks, and chronological activities should be automated first.
Scaled workflows require much software such as application as code, infrastructure as code (IaC), policies as code, or observability as code.
Of course, Kubernetes would bring more pipeline concerns as each one would come along with separate pipelines. Each of these pipelines must be optimized with proper integration of security tests. CI/CD is double-edged. For the business, it improves the quality of code, but for antagonists, that’s an avenue for penetration.
A push- or pull-based CI/CD pipeline is presented by NIST as a workflow paradigm. According to the document, push-based workflows might be risky since they expose credentials outside of the departmental context. Instead, it insists on following the GitOps methodology, which is aided by a pull-based workflow.
NIST understands the importance of security testing and has listed three types/stages of testing that are needed for every pipeline in the preparation phase: Interactive application security testing, dynamic application security testing, and static application security testing, commonly called IAST, DAST, and SAST.
Use a CI/CD solution that keeps your application safe
The NIST guide highly encourages embedding security in DevOps. As CI/CD is one of the pillars of DevOps, integrating security into this concept is what every serious company should do. This will not work for you if you think it’s about “adding” a new security layer across your application, the goal is to consider the dynamic nature of artifacts and infrastructure and embed security into these.
Wildcard CI/CD solution takes a security-first approach in handling development, delivery, and deployment. Try it here for free!
Wildcard is a NoCode platform that provides a solution to help organizations, and developers, even those without DevOps experience or coding knowledge, to successfully implement and manage versioned infrastructure using NoCode CI/CD pipelines. It enables collaboration, auditing, and automation. You can use Wildcard to build, deploy, and manage applications without writing a single line of code. Start for free by singing using Github or GitLab.