Amidst this growing tension around emerging cyber threats, one of the hottest topics in the software industry is ASPM (Application Security Posture Management). And rightly so, organizations must have a conversation around their ongoing AppSec practices and how to improve their security posture further.
What is the need for a strong Security Posture?
Cybercrimes such as SQL injection, cross-site scripting (XSS), unauthorized access, and malware injections are on the rise. This report by Accenture reports that the average cost of organizations that fall victim to such attacks is (a whooping) $13 million!
In order to prevent such attacks, organizations must take a proactive approach to security. A key practice to ensure proactive security is—Compliance. Now let me delve into how compliance can be used as a tool to transform the security posture.
What is Compliance?
Compliance is a means to bake security into the application delivery lifecycle. It is the act of adhering to rules, regulations, standards, or guidelines established by external authorities or internal policies within an organization. Thus, ‘being compliant’ means that any process, product, or service offered by an organization meets industry standards or obligations.
Most large enterprises are driven by mandates requiring them to operate under certain constraints. These are either enforced by the industry they are operating in, or by the organization itself.
Benefits of Compliance in Software Delivery
There are numerous benefits associated with following them such as:
- Legal Obligations: Failure to comply with relevant laws and regulations can result in legal penalties, fines, lawsuits, or regulatory sanctions.
- Risk Management: Compliance helps mitigate risks associated with non-compliance, such as financial loss, reputational damage, operational disruptions, or data breaches.
- Trust and Reputation: Demonstrating compliance builds trust and credibility with customers, partners, investors, and other stakeholders, enhancing the organization’s reputation and brand value.
- Operational Efficiency: Adhering to established standards and best practices improves operational efficiency, quality assurance, and process consistency within the organization.
- Competitive Advantage: Compliance with industry standards and regulations can provide a competitive advantage by demonstrating commitment to quality, security, and responsible business practices
‘DevSecOps’ and the role of Compliance in Software Delivery
While ‘DevSecOps’ encourages bringing security measures into DevOps (or software delivery) workflows, ‘Compliance’ is proof that security measures have been implemented. So even though they are two distinct concepts, ‘DevSecOps’ and ‘Compliance’ go hand in hand because they address the same challenge.
On the one hand while ‘compliance’ complements DevSecOps and improves software delivery, on the other hand it slows down delivery cycles, needs manual effort, and starts too late in the process. The secret sauce lies in actually ‘Automating Compliance into DevSecOps’.
Compliance Automation in DevSecOps
Compliance Automation improves both agility and security in software delivery—helping teams achieve the best of both, DevOps and DevSecOps. It not just streamlines security standards, but also eliminates bottlenecks resulting from manual compliance checks. This naturally leads us to the next question—how do we automate compliance in DevSecOps?
This progressively leads us to the next question – how do we automate compliance in DevSecOps?
- Implement Compliance as Code
- Automate Compliance Checks
- Continuous Monitoring and Auditing
- Policy Enforcement
Strategies to Automate Compliance in DevSecOps
- Implement Compliance as Code
- Automate Compliance Checks
- Continuous Compliance Monitoring
- Policy Enforcement
Implementing Compliance-as-Code
‘Compliance-as-Code’ is the process of codifying compliance requirements and security controls into configuration files, automation scripts, and infrastructure templates using the principles of infrastructure as code (IaC) and policy as code (PaC). This can help define compliance rules programmatically and enforce them consistently across development environments.
Automate Compliance Checks
By automating compliance checks, organizations can identify security issues and non-compliant configurations early in the development process, and thus reduce the risk of non-compliance. This not only speeds up the compliance verification process, but also eliminates bottlenecks arising from manual checks.
Continuous Compliance Monitoring
Monitoring tools and Security Information and Event Management (SIEM) systems can be used to collect and analyze security-relevant data, detect deviations from compliance standards, and trigger alerts or automated responses as needed. This is one such mechanism to track compliance status and security posture across DevSecOps environments in real-time.
Policy Enforcement
Automated policy enforcement mechanisms ensure that compliance controls are enforced consistently across development environments. Various tools and frameworks can be used to enforce policies with the help of declarative configurations, role-based access controls (RBAC), and the principles of least privilege.
Now that we’ve understood the importance of ‘automation’ in DevSecOps Compliance, let me address the popular Compliances that organizations struggle with and how OpsMx can help automate those compliances into their software delivery processes.
Types of Compliance in Software Delivery
Depending on the industry an organization is operating in, or the geography or specific business activities, an organization may need to adhere to different compliances. Here are some common compliance types:
- Legal compliance
- Regulatory compliance
- Standards-based compliance
- Other compliance types:
- Corporate Compliance
- Financial compliance
- Legal compliance
- HR compliance
Legal Compliance
Legal compliance involves adhering to laws, statutes, and judicial decisions that govern various aspects of business activities. Compliance with legal requirements ensures organizations operate within the boundaries of the law.
For example: the General Data Protection Regulation (GDPR) sets standards for data protection and privacy in the EU.
Regulatory compliance
Regulatory compliance involves adhering to specific rules, regulations, and standards imposed by regulatory bodies or government agencies within a particular industry or sector. Regulatory requirements are often industry-specific and may be aimed at protecting public interests, ensuring consumer safety, promoting market stability, or maintaining industry standards.
Examples include compliance with the Health Insurance Portability and Accountability Act (HIPAA) in healthcare and the Payment Card Industry Data Security Standard (PCI DSS) in the financial sector.
Standards-based compliance
Standards-based compliance involves conforming to industry standards and guidelines established by regulating bodies or professional organizations. These standards set benchmarks for quality, security, and performance in their respective domains. Adhering to these standards ensure consistency, safety, and interoperability, within organizations and across industries.
Examples include ISO 9001 for quality management, ISO/IEC 27001 for information security management, and NIST 800-53 for federal information systems security controls.
Other notable Compliance types
I will not be going into much details about the other compliances as their scope is not that relevant in the context of software delivery. But just to touch base upon it briefly, compliance standards are also applicable in other aspects of IT such as Corporate Compliance, Financial compliance, Legal compliance, and HR compliance.
How can OpsMx help you stay compliant during Software Delivery?
Compliance frameworks are essential for organizations to establish effective governance, risk management, and compliance (GRC) programs. These frameworks help businesses identify, assess, and manage risks while ensuring that they operate within the legal and regulatory boundaries applicable to their industry.
OpsMx Secure Software Delivery (SSD) has inbuilt security modules that convert these frameworks and rules into Policy as Code (PaC) format, which is machine readable. In parallel to this, OpsMx SSD also collects events and data by integrating with other DevOps tools across the SDLC.
The PaC checks mentioned earlier are performed on top of this incoming data. And results from the evaluation get published as part of our Delivery Bill of Materials (DBOM) report as well as in the ‘Open Security Issues’ section in the SSD dashboard. Refer to the below screenshot.
OpsMx supports the following compliance frameworks as part of our Secure Software Delivery offering:
- NIST 800-53
- FedRAMP
- OpenSSF ScoreCard
- OWASP Top 10 CI CD Security Risks
- NSA CISA Top 10
- MITRE-ATT&CK
- CIS Benchmark Kubernetes
NIST 800-53
NIST 800-53 compliance covers aspects of information security, including access control, incident response, cryptography, configuration management, and more. Examples of NIST 800-53 policies supported in OpsMx SSD:
- Branch Deletion Prevention Policy
- Branch Protection Policy
- Bot User should not be an Org Owner
- C-0054 – MITRE – Cluster internal networking
Read our documentation for more information.
Here’s an example of OpsMx SSD evaluating a deployment against policies defined in accordance with the NIST 800-53 framework.
FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government program designed to ensure that cloud services used by federal agencies meet a consistent set of security and privacy standards. This framework when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.
Examples of FedRAMP policies supported in OpsMx SSD:
- Block Container Without Limits
- Block Container Without Request Limit
- Block Undefined Container Ratios
- High Vulnerability Prevention Policy
- Low Vulnerability Prevention Policy
OpenSSF ScoreCard
Open Source Security Foundation (OpenSSF) is an industry collaboration focused on improving the security of open-source software. This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.
Examples of OpenSSF policies supported in OpsMx SSD:
- Open SSF Binary Artifacts Policy
- Open SSF CI Tests Policy
- Open SSF Packaging Policy
- Open SSF Signed Releases Policy
- Open SSF Token Permissions Policy
OWASP Top 10 CI CD Security Risks
OWASP (Open Web Application Security Project) Top 10 list focuses primarily on web application security risks rather than CI/CD (Continuous Integration/Continuous Deployment) security risks. Examples of OWASP CI CD policies supported in OpsMx SSD:
- Prohibited use of unspecified package versions
- Refrain from running pipelines originating from forked repos
- Untrusted Deployment via Configuration Drift
- Open to merge public repositories for code utilities
NSA CISA Top 10
The NSA concentrates on signals intelligence and securing national security systems, while CISA is primarily responsible for enhancing cybersecurity resilience across government and critical infrastructure sectors and coordinating cybersecurity efforts at the national level.
Examples of NSA CISA policies supported in OpsMx SSD:
- C-0068 – NSA – PSP enabled – Pod Security Policies enable fine
- C-0067 – NSA – Audit logs enabled
- C-0058 – NSA – CVE-2021-25741
MITRE-ATT&CK
MITRE ATT&CK compliance framework is a standardized set of regulations or requirements that organizations must adhere to improve cybersecurity defenses, threat detection, and incident response. This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.
Examples of MITRE-ATT&CK policies supported in OpsMx SSD:
- C-0067 – MITRE – Audit logs enabled
- C-0068 – MITRE – PSP enabled
- C-0069 – MITRE- Disable anonymous access to Kubelet service
- C-0070 – MITRE – Enforce Kubelet client TLS authentication
- C-0035 – MITRE – Cluster admin binding
CIS Benchmark Kubernetes
The Center for Internet Security (CIS) provides benchmarks and best practices for securing various technologies, including configuring and managing Kubernetes clusters to enhance the application security posture. This framework, when integrated in SSD, gets converted to code format. The policies created based on this framework prompts an alert or prevents the deployment if the rule fails.
Examples of MITRE-ATT&CK policies supported in OpsMx SSD:
- CIS – Compliance Score – Range: 0-30
- CIS-1.1.1 Ensure that the API server pod specification file permissions are set to 600 or more restrictive
- CIS-3.2.1 Ensure that a minimal audit policy is created
- CIS-5.3.1 Ensure that the CNI in use supports Network Policies
- CIS-5.7.4 The default namespace should not be used
About OpsMx
OpsMx is a leading innovator and thought leader in the Secure Continuous Delivery space. Leading technology companies such as Google, Cisco, Western Union, among others rely on OpsMx to ship better software faster.
OpsMx Secure CD is the industry’s first CI/CD solution designed for software supply chain security. With built-in compliance controls, automated security assessment, and policy enforcement, OpsMx Secure CD can help you deliver software quickly without sacrificing security.
OpsMx Deploy Shield adds DevSecOps to your existing CI/CD tools with application security orchestration, correlation, and posture management.
0 Comments