An interview question — "you join a DevOps team with no security; what's your first step?" — sparked this take on why DevOps is already security-conscious, where it goes wrong, and how to fix a broken security culture.
A friend is going through an interview process at a well-known IT security company. This is one of the interview questions:
"Imagine a situation where you come to a DevOps team with no idea on security. What would be your first step to implement security into their processes and why?"
To me, as a DevOps Engineer, this seems like a very wide question, perhaps even deserving of a blog post. I wouldn’t want to be in my friend’s position to have to answer it, but I’ll do my best to give my 2 cents.
Nowadays, the term DevSecOps is becoming popular. While traditional DevOps supposedly considers security an afterthought, DevSecOps on the other hand considers security as one of the initial corner stones.
Currently, there is an abundance of both DevOps and DevSecOps positions on the job market. In my experience, the two terms are commonly used quite interchangeably. Nevertheless, it offers a glimpse into how seriously is security meant to be taken in this line of work. Indeed, when it comes to keeping critical IT systems running, it’s usually the DevOps engineers who are in the best position to either keep everything afloat or sink it. For that reason, security is a critically important aspect to be kept in mind for DevOps engineers.
In my experience, vast majority of DevOps engineers are security-conscious. Some slightly more, some slightly less. Most are aware of how delicate the work they do is, and that if they produce an insecure solution that leads to a security incident, there will be serious consequences.
Even the most mediocre DevOps Engineer is likely to know basic principles of how to keep their solutions reasonably secure. Many DevOps engineers work within teams, and their solutions are typically reviewed with scrutiny. Thus, I’d say a well-functioning DevOps team typically produces sufficiently secure solutions.
Within bigger, enterprise-grade companies, cooperation with various security teams is common. For example, a security team may audit, review, or set security requirements for the solutions created by the DevOps team.
In small companies with barely any DevOps engineers and perhaps no dedicated IT security personnel, the security may be a bit more lax. But even then it tends to be good enough to not be too vulnerable to most types of security incidents.
When an urgent incident occurs, security-related or otherwise, it’s typically the DevOps engineer who’s paged in the middle of the night. This ensures they’re fairly motivated to deliver robust and secure solutions.
DevOps/Kubernetes security-focused consultancy companies exist, such as Control Plane.
Managing Public Cloud infrastructure (e.g. AWS)
Managing CI/CD
Virtual Machines (on-premises or cloud)
Kubernetes
Secrets Management
TLS
VPN
Database security
Managing git servers, e.g. GitLab
Container vulnerability scanning
Storage encryption
Intrusion detection
Enforcing MFA wherever possible
Generally trying to follow the least privilege principle
Generally trying to follow, avoid, and patch CVEs
Incident prevention and response (angry ex-employee, DDOS attack, aggressive web crawlers, critical CVE patching…)
A DevOps engineer committed a Kubernetes admin kubeconfig in plaintext format into a developer app git repo. He then tried to use it for authentication as part of his CI/CD solution. This is bad, because we wanted to keep the admin kubeconfig away from the developers. Also, he shouldn’t commit sensitive plaintext credentials into a git repo anyway. The rest of the DevOps team had a much better CI/CD solution in place, so all he had to do was ask and cooperate.
The team used a publicly accessible Jfrog artifactory where they uploaded private Helm charts. But then someone accidentally set the folder permissions to allow the Helm charts to be downloadable without authentication. The Helm charts contained some sensitive credentials, and were now downloadable by anyone from the Internet. I noticed it, escalated, and ensured remediation. Then the folder was made private again. I think the artifactory shouldn’t be accessible to the Internet, because that just removes one layer of protection right off the bat.
The scenario in the interview question is quite a nightmare, and extremely unusual. I would look at it from the leadership/management point of view.
Bad team culture takes a lot of time to fix. Rome wasn’t built in a day. With the above measures, it might still take 6-12 months for the team to become sufficiently security-conscious.