Penetration Testing & DevOps
In the previous post, we looked at the present scenario in dynamic cyber space and discussed the basics of security in DevOps i.e. DevSecOps along with benefits and best practices. Security can often be an afterthought when the primary motive is to innovate and develop products and services at a higher speed.
However, considering the extent of damage that can be done by an attack, embedding vulnerabilities in products and services is the last thing an organization wants. Instead of appropriate security measures restraining the overall development process, DevSecOps swiftly addresses the existing flaws so that the development process is not slowed down.
Penetration testing, AKA “pen test” is an authorized attempt by an individual or a team to exploit the existing vulnerabilities in an organization’s technical infrastructure and all components to determine whether unauthorized access or malicious activity is possible or not. It is often emphasized that pen testing is not a one-time activity. An organization must conduct pen tests regularly, either weekly, monthly or quarterly.
A pen test concludes after the tester(s) present their report and findings. This report basically conveys the efficiency of an organization’s existing security controls and defense mechanisms. Further, a successful pen test also predicts the potential losses suffered by an organization if the vulnerabilities found are exploited by the attackers.
Based upon the location of the testing team, a pen test can be either external or internal. In an external test, as the name suggests, the testers perform their testing activities from outside. The testers may or may not be familiar with an organization or its technical infrastructure. The success of conventional external tests depends totally upon the ability of the testers. In internal testing, activities performed by testers look like an insider’s attack as the testers have some sort of authorized access to the organization’s technical infrastructure.
Importance of Penetration Testing in DevOps
As we have discussed, DevOps focusses on speedy completion of development processes for faster delivery of products and services. Not considering security in the development process has its own set of vulnerabilities. For example, stored data will be unencrypted, the code may be vulnerable to buffer overflow, or there might be a data leakage. Vulnerabilities and flaws in a product or a service can be endless if its security has not been considered.
In order to ensure that security is cohesively blended into DevOps, pen testing should be performed on an ongoing basis to keep up with the continuous developments. Realistically, manually performing penetration tests can be a tedious task as it might slow down the development process. And if that happens, following DevOps principles will yield no benefits.
Hence, there is a dire need to conduct automated security tests to identify flaws, vulnerabilities, data leakage, and loopholes in a timely manner. These tests need to be conducted at a frequency such that they do not hamper development speed while at the same time enhancing data security. To start with, a properly defined plan for security in DevOps must be laid down.
First, the pen testing plan must consider development methodology and the environment in which a product or service is being developed. For example, a cloud-based application is being developed using agile methodology. Since this is a cloud-based application, you must get in touch with your cloud service provider to understand how to conduct application testing on their platform. If this is not done, then your tests will look like a DDoS attack on your account and the service provider might shut down your account as a part of standard procedure.
The second step is to define the scope of your automated tests along with selecting an appropriate tool which is capable of simulating a real-life cyber attack. While defining the scope, your tests should cover the network, connected devices, data transmission, access levels, degree of automation, and fulfilment of compliance requirements. Along with this, the ideal tool will automate most processes and require human intervention only in serious cases. A fully-automated tool may not be the best choice for penetration testing in DevOps.
The third and penultimate step is to document and report the findings of the testing tool as well as manual findings. These findings must mention actions taken to address an issue found during the testing. Further, how people respond to a flaw may also indicate their level of confidence in the product under development.
Software and automation have continued to make our lives easier so far – and that will continue. Although the concept of DevSecOps is still relatively new, it is evolving quickly. In order to realize its potential, developers are the key personnel who have to be made security-aware so that security is not forgotten. Also, the coordination between the development team and the security team has to be a two-way street so that a secure system is built and data integrity is considered everyone’s shared responsibility.
It is high time that security is embraced in DevOps, as it is not a 100-metres hurdles race anymore; instead it is a never-ending marathon.
HIPAA Compliance on AWS – Cheatsheet04 Feb, 2019
Dummies guide to AWS Penetration Testing – I04 Feb, 2019