Enforce security with DevSecOps using tools from Vault

Use case

Challenges

Main challenges

The typical DevOps pipeline can have hundreds of different tools with independent secrets stores, like Ansible Vault and Kubernetes secrets. Besides, each solution approaches SSL/TLS certificates differently, requiring developers to invest time to learn each of them. Using a wide range of approaches also complicates code. DevOps deal with proliferating secrets due to the company's desire to deploy application changes more frequently.

One of the most significant obstacles to improving software products' overall security is the way developers have historically managed application secrets. Secrets in DevSecOps refers to the digital authentication credentials used in services and applications, including passwords (also auto-generated and one-time passwords), usernames, API tokens, SSH keys, system-to-system and database passwords, private certificates, private encryption keys, RSA, and keypad pin sequences, among others.

Hackers can easily compromise an application in a way that gives them access to user credentials, many of which are reused in an enterprise. Cybercriminals attacked Uber through secrets left on GitHub. Accenture left secrets exposed on Amazon S3, while Viacom left secrets accessible publicly on Puppet.

Business/technical goals

DevSecOps emphasizes security in the union of people, processes, and tools to build, test, and release software more frequently and reliably. Tools like Vault automates DevSecOps activities to reduce delivery time, improve quality and security, and eliminate human error. The solution streamlines repeatable processes to achieve faster, secure delivery cycles and customer satisfaction.

Approach

Organizations can enforce security with DevSecOps using tools from Vault. Vault is excellent for secrets management, encryption as a service, and privileged access management. The lightweight, portable solution does not need a lot of infrastructures.
DevSecOps tool like Vault simplifies SSL/TLS certificate issuance. It abstracts the secret store from applications to streamline the management of secret sprawl.

Situation before & after the implementation

Before

Applications and digital services leak secrets in different circumstances, such as application logging configurations, leaving secrets in log files, or centralized logging systems. External actors will also capture secrets in crash reports forwarded to external monitoring systems or through debugging endpoints.

After

As organizations become more proficient at managing application secrets, the more secure application environments become. Using DevSecOps and tools like Vault helps your business know the location of all secrets, parties accessing them, timelines when the secrets got in that location, and changes made on them.

DevSecOps offers secure by default applications by integrating security via tools like Vault.

Methodology

Immersion

Introduction with the client to understand his context - both business and technical. The aim of the phase is to explore this new context, gather the needs through exchange with the different key points of contact, answer unclear points, and agree on a defined scope.

Ideation

Proposition of several potential solutions that could fit the need and iterate on it based on client feedback. In this step, we can include a prototype or a Proof of Concept to have a better sense of the feasibility of the architecture to put in place with its different layers/components.

Implementation & tests

Iterative phase based on Agile methodologies & rituals: sprint planning, demo, retrospective, prioritization, etc. Each sprint will include the implementation of the technical architecture, the deployment of the infrastructure, and the development phase if required.

Production

Go in production with the defined solution and ensure post-production support if required.

Benefits

  • Automation - Enforcing security with DevSecOps using Vault tools offers an integrated solution with robust control over machine identity, paired with CI/CD and other DevOps benefits.
  • Enhanced security - Vault DevSecOps tool improves how software teams store important keys, passwords, tokens, and other secrets in projects. Besides, the tool manages and maintains application secrets outside the application to improve the overall system security.

  • Flexibility - DevSecOps makes it easier to manage the rapid pace of development and large scale secure deployments.
  • Regulatory compliance - Vault offers a reliable way to manage application secrets, which helps meet compliance requirements for regulations such as the GDPR that penalize companies for losing control over credentials and data.

Getting started with Technofy

Technofy has mastered a way of enabling cultural changes for clients to embrace DevSecOps. We offer solutions and expertise you need to enhance security on your DevOps activities. We apply the concept of & "shift-left security" by moving security thinking from a production requirement to the early stages of software planning and development. We deploy a wide range of tools like Vault to automate DevSecOps processes to enhance your cybersecurity posture and complement your regulatory compliance efforts.
Contact us for more