How Containers and Kubernetes Advance DevSecOps
Containers and Kubernetes have been two of the most exciting developments of recent years, and if implemented correctly, can vastly improve the efficiency and efficacy of development workflows. One of the key ways they can do so is by catalyzing the development of a genuinely DevSecOps approach: a development workflow that seeks to integrate security into app development at the earliest, most fundamental levels.
For this reason, there is a growing consensus in the development community that containers are the key to developing DevSecOps workflows, and many are starting to interrogate the relationship between containers and DevSecOps.
In this article, we’ll take a more direct approach, and explain why containers and Kubernetes are so useful in making a move to DevSecOps—not just in improving container security, but also in improving the speed and accuracy of development.
What is DevSecOps?
To understand the role of containers and Kubernetes in DevSecOps, it’s important to understand exactly what DevSecOps means for most organizations.
There is one primary compromise that must be negotiated within all development workflows: the conflict between speed of delivery and the security of code. Today, the speed at which code can be delivered is crucial to the success of your organization, and especially so if you are running a continuous integration or delivery software model.
Unfortunately, focusing on delivering code more quickly can often mean that the security or reliability of code is reduced. Up until a few years ago, most organizations used the traditional way to get around this problem: Almost-finished software would be given to a dedicated security team to check before it was shipped.
This process, however, typically added weeks (if not months) to the software development life cycle, and the poor integration between development and CyberSec teams meant that the latter were often not able to spot all of the security holes in new code, let alone make recommendations to fix these.
DevSecOps is a paradigm that seeks to get around these problems by integrating security teams into the development process from the earliest stages. This can mean moving security teams to be in closer proximity to development teams, but it also relies on the capabilities of new technologies. One of those is Kubernetes and containers.
DevSecOps and Kubernetes
Open source-based containerized developmental systems, including those that are orchestrated via Kubernetes, are a natural fit for DevSecOps workflows. This is due to a number of features that stem directly from—and are able to directly mitigate—the most common threats faced by open source application developers.
An exhaustive list of these threats would run to many pages, but a brief summary can also be given. Key threats include clear-text secrets, embedded malware, insecure software or libraries, bugs, outdated images and use of untrusted images. Many of these risks are not necessarily (or even at all) the consequence of external attack; rather, they arise because of the complexity of the development workflow.
In other words, the sheer number of different systems that the average dev now has to work with means that it is easy for untrusted or outdated images to accidentally appear in shipped code. This is particularly the case where teams use the cloud host shared resources, because these distributed systems can often mean that no one team—and certainly not the development team—takes responsibility for keeping them up to date.
Given this issue, Kubernetes offer two main advantages over traditional development or open sourced-based systems: the simplicity with which individual applications can be granted access to key resources, and a number of in-built features that allow crucial DevSecOps processes to be performed at a native level.
Let’s take a deeper look at both of these features. For developers who are new to Kubernetes, it might seem strange to describe this architecture as simple. After all, a single cluster may have dozens or hundreds of containers within it, and this can take some getting used to.
However, it’s also crucial to realize that this gives Kubernetes-based workflows an inherent ability to scale up their operations when required. This “scalability” is not only important for companies looking to survive in a crowded marketplace but is also important for security.
Instead of building fragmented applications that draw components and licenses from many different sources, Kubernetes allows all of your apps and their components to be hosted in one place, which is one of the most important security measures to have with open source software and tools in general.
This not only gives you as a developer greater oversight over your software, but it also dramatically increases the efficacy of your security team. Kubernetes architectures allow both development and security teams to work within the same environment. This also enables both teams to have the same levels of oversight and control over software as each other.
This naturally gives rise to a DevSecOps approach, in which the operations of each team inform each other, without the necessity of building complicated managerial structures on top of already complex technical tools.
In other words, and despite some of the speculation that DevOps will not survive the rise of Kubernetes, the advent of containerization is likely to lead to more widespread adoption of DevSecOps models. This is not only because containers address some of the most important mobile app security considerations for developers, but also the very paradigm through which they operate encourages the kind of collaborative, joined-up working practices that form the core of the DevSecOps revolution.