DEVOPS SECURITY

BUYER’S GUIDE
Deploy Robust Security from DevOps Day One

FOUNDATIONAL CONTROLS FOR 
SECURITY, COMPLIANCE & IT OPERATIONS
Introduction
You know implementing DevOps will
rapidly advance your processes.
Adopting DevOps gives you faster time to
market, optimized delivery cycles, and a
wealth of saved time and resources. The
first steps of rollout make for an oper-
ational sea change for your teams, and
they’ll have a lot to learn at first.
Amid so much transformation, it’s
tempting to push security strategies
down your to-do list. You might want to
wait for your teams to hit their stride
before settling on a security solution—
after all, you can always tack a basic
solution onto your deliverable cycle
later, right?
In fact, this do-it-later strategy
becomes a major drain on your time
and resources and leaves your organi-
zation open to threats and attacks that
could take weeks or months to detect,
let alone resolve. The only diligent way
to make sure your DevOps deployment
succeeds is to start with a robust secu-
rity plan from the very beginning.
Questions this guide answers:
»» How will DevOps benefit my
organization?
»» What security risks come with putting
DevOps into action?
»» Which tools do I need to make DevOps
a success at my organization?
»» How do I know which security solution
will play well within the DevOps
framework?
»» What should I ask my vendor to
make sure their product fits the right
criteria for me?
Quick DevOps overview
DevOps originated in the software devel-
opment world in 2008. It has since made
a name for itself as the best operational
methodology for complex organizational
processes across every industry.
DevOps essentially brings agile oper-
ations best practices to development
quality assurance lifecycles. This
creates a continuous loop of planning,
execution, and testing—with iterative
feedback and integration every step of
the way.
The DevOps lifecycle
[Visual asset: Lemniscate, example
below from Atlassian.com/devops]
In practice, DevOps teams frequently
rely on agile tools like a Kanban board to
keep track of their work sprints and give
everyone a transparent view of where
each piece of the puzzle is at any given
moment.
Lean strategies like these require teams
to consider their tasks in relation to the
project as a whole, a modality known
as systems thinking. Systems thinking
helps individual employees streamline
their workflows by giving them con-
sistent visibility into the impacts their
disparate tasks have on the group’s pace
of progress.
Technical benefits
DevOps relies on real-time communi-
cation throughout every stage of the
development cycle. This leads to quicker
problem solving on behalf of your teams
and less complexity for management to
deal with. Thirty-three percent of enter-
prises cite reduced complexity as a top
driver for DevOps adoption.1 Technical
benefits include:
»» Faster and more frequent deployment
Code
Pl
an
Dev
Build
e
Rel
Te s t
Fig. 1 DevOps involves continuous integration, automated testing, rapid deployment,
infrastructure as code, and application monitoring.
»» More stable and reliable environments
»» Faster iterations mean quicker error
detection less rework projects
“Over the past six years and
2,700 State of DevOps survey
responses, we’ve found clear
evidence that DevOps practices
yield remarkable results for
IT teams and organizations …
Today, DevOps is viewed as the
path to faster delivery of soft-
ware, greater efficiency, and
the ability to pull ahead of the
competition.”
- 2017 State of DevOps Report by
Puppet and DORA²
Business benefits
According to Atlassian, DevOps teams
are two times as likely to surpass their
goals for profit, market share, and
productivity compared to teams using
traditional operational methods.3 This is
because of quicker delivery of new fea-
tures, a stable operating environment,
improved communication, and increased
collaboration. Business benefits include:
»» More efficient use of employee time
»» Bring value to market quicker through
continuous deployment
»» Increased employee retention and
engagement
Deploy
e
as
Ops
Operate
Mo
n it o r
Cultural benefits
The bulk of the change that occurs
when you shift your teams to DevOps is
cultural. You’ll see knowledge silos give
way to transparency, and employees
increase their engagement. DevOps
gives passive employees the resources
they need to become engaged stake-
holders who see themselves as integral
agents of change. The increase in feed-
back and communication translates to
higher job satisfaction, too: Employees
from DevOps teams are twice as likely
to describe their organization as a great
place to work to potential recruits.4
Cultural benefits include:
»» Increased collaboration between
teams
»» Better focus, which leads to improved
work quality
»» Feedback loops, which make
employees feel heard and valued
The Top Three
DevOps Security Risks
The initial process restructuring this
transformation involves can lead to a
substantial payoff down the road, but
only if you make a concerted effort to
integrate security directly into your
DevOps stack. Otherwise, you run the
risk of compromising all the work that
went into the transition by leaving your
organization vulnerable to avoidable
threats.
“An overwhelming majority
of companies believe an inte-
grated security and DevOps
team makes sense, with 98
percent of survey respondents
saying they are either planning
to or have launched such an
effort.”
- Jason Sabin,
CSO of DigiCert5
Risk #1: Process change with
security as an afterthought
Market pressure to deliver faster than
your competitors can spur your teams to
cut security corners, especially if there’s
a skills gap when it comes to sensible
security expertise. The security skills
gap arises when IT employees are shoe-
horned into security roles they aren’t
properly trained for because of rapidly
growing cybersecurity talent demand.
If you create an environment in which
security concerns are mismanaged or
put off for a later date, you’ll have to go
back and assess vulnerabilities at every
step of your process—wasting valuable
time and resources that could be spent
on innovation.
Risk #2: No security in the
continuous integration process
Continuous integration (CI), is a cru-
cial component of the DevOps model.
Developers integrate their updated code
to merge it with the bulk of the existing
code for each product or service. This
means constant change occurs in a
central code repository. But which of
these changes are planned, and what
happens if hackers are making changes
as well? Successful CI calls for change
management solutions that track every
modification made to your organization’s
systems.
Risk #3: No visibility across all
cloud endpoints
Any modern organization using DevOps
will have a substantial amount of cloud
endpoints at any given time. From VMs
to web services to containers, that’s a lot
to keep track of—and this is even truer
if you’re still working with on-premises
systems as well. You need to have deep
visibility across all your organization’s
endpoints or you run the risk of becom-
ing an easier target for attackers.
It’s time to take control of these risks.
Start by developing your optimized
DevOps tool suite and selecting a secu-
rity product that will scale with your
teams, integrate with your ecosystem,
and manage vulnerabilities before they
become a problem.
Optimize Your DevOps Tool Suite
Do you already know what product
capabilities you’ll use to make the most
of DevOps? Here are several of the key
tools you need to decide on to implement
and execute a successful DevOps model
in your organization:
Version control
Version control tools allow you to upload
your binaries and branch your software
to make sure everyone on your team is
always working on the correct version.
Two people can check out the same
version and work independently, then
merge their code back into the appro-
priate branch. Github is an industry
standard development tool for fast and
flexible version control.
Project management tracking
Project management tracking soft-
ware, generally a SaaS, tracks specific
projects and tasks so that each team
member has clear visibility into the
statuses of their stories and epics. For
example, JIRA is a three-piece suite of
solutions you can use to track develop-
ment progress, IT and customer service
tickets, and core business management.
Build and deployment
(continuous integration)
Continuous integration streamlines
the development process by merging
and testing code on an ongoing basis
to avert problems down the line. Tools
like Jenkins keep developers’ code
production-ready and allows them to
continuously push their code out to
various environments. Jenkins is also
popular among DevOps teams because
of its extensive integrations and plugins.
Secure configuration assessment
Secure configuration assessment tools
look at each individual system and its
specific settings to make sure each one
is set up securely. This includes testing
systems such as password lengths and
other types of secure configurations.
Each time you make an improvement
on an asset’s secure configuration,
you are hardening that device or asset.
Tripwire’s secure configuration man-
agement capabilities make it the go-to
solution to ensure foundational controls
are met throughout the DevOps lifecycle.
Change management
Change management solutions distrib-
ute notifications the moment changes
from your baseline occur. Tripwire’s file
integrity monitoring provides you with
side-by-side comparisons of what any
given file in your system looked like
before and after a change, highlighting
the differences so you can take action
quickly. Tripwire change management
isn’t just for files alone—your directo-
ries, registries, DLLs, ports, services,
protocols and more are also covered. Be
in the know as soon as change occurs.
Three Critical Questions
to Ask Your Vendor
Once you’re on the phone with a vendor,
spend your time wisely by asking
the three most important questions
to determine whether or not their
product will perform well within your
organization.
Question #1: Does it cover both
cloud and on-premises?
Many organizations rely on a com-
bination of cloud and on-premises
systems—a tough position to be in
when so many security products only
cover cloud-based environments. Ask
your vendor how their product will also
extend to your remaining legacy frame-
works as well.
Fig. 2 Real-time change intelligence—
Tripwire Enterprise gives you the most
comprehensive file integrity monitoring
solution available. Granular endpoint
intelligence provides continuous
monitoring for threat detection.
Tripwire’s industry-leading agents guard
your endpoints for continuous real-time
monitoring.
Question #2: Does it comes with a
service team? Your 10-point
The best security system in the world
DevOps security
won’t do you any good if you don’t know
how to configure and maintain it. Avoid checklist
solutions that don’t offer ongoing IT sup-
port. Look for security products with a Use this essential
customizable range of service options.
operational checklist to
ensure your security tool
Question #3: Will it keep us aligned
with compliance standards? contains all the necessary
One security consideration you can’t functionality to help you run
overlook is regulatory compliance. Will DevOps securely:
your security solution alert you the
FF Endpoint visibility for
moment you stray from compliance
standards? If not, you may end up having Docker containers
to pay a substantial fine (not to mention FF Integration with legacy
risk a security breach). Make sure you
systems
talk to your vendor about the breadth
and depth of their product’s coverage. FF Change detection with
file integrity monitoring
How Tripwire Secures Your
FF Attack surface
DevOps Process reduction with configuration
You can put your trust in Tripwire® monitoring
Enterprise as your complete change
management solution during and after FF Vulnerability
your DevOps ramp-up. The cultural management
and operational changes a successful FF Security automation and
DevOps transition requires are enough
to worry about. Let us handle the rest.
remediation
FF Log management
Summary FF Real-time threat
With Tripwire, you can enjoy peace of detection
mind knowing both your legacy hard-
ware and cutting-edge cloud container FF System hardening and
operations will be secured with one compliance enforcement
comprehensive change management
FF Public cloud account
solution.
configuration
Fig 3. Securing the entire container
stack—Use Tripwire Enterprise to
enforce stringent security standards
across physical, virtual, and private and
public cloud environments. Tripwire
Enterprise supports over 1000 policy
and platform combinations, including
AWS Linux and Docker containers.

Fig 4. Security assessment and

remediation—Manual security practices
just aren’t efficient or effective enough
to keep up with the deep system
integration DevOps requires. Tripwire
Enterprise works seamlessly with best-
in-breed DevOps toolsets. Integrating
with these various tools allows for
automation of your key security
processes.
REQUEST A DEMO
With concerted planning
and skillful execution,
you can dramatically
increase your organization’s
effectiveness by adopting
the DevOps model. Don’t
let insufficient security
compromise the hard work
you’re investing in the
transition.

Let us take you through

a demo of Tripwire’s
security and vulnerability
management products
and services customized
to your specific IT security
and compliance needs.
Visit tripwire.com/contact/
request-demo and learn
more about how Tripwire
Sources: Enterprise is the perfect
1 https://img.deusm.com/informationweek/ solution for secure DevOps
Interop-ITX-Research-Reports-Infographic-
DevOps-FINAL.pdf deployment.
2 https://puppet.com/resources/whitepaper/
state-of-devops-report/thank-you
3 https://www.atlassian.com/it-unplugged/
devops/devops-trends-infographic
4 https://www.ca.com/en/blog-highlight/
devops-makes-employees-happy.html
5 https://www.darkreading.com/
cloud98--of-companies-prefer-integrat-
ing-security-with-devops/d/d-id/1329405
 Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial
organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity
asset visibility and deep endpoint intelligence combined with business context; together these solutions
integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions
includes configuration and policy management, file integrity monitoring, vulnerability management,
log management, and reporting and analytics. Learn more at tripwire.com

The State of Security: Security News, Trends and Insights at tripwire.com/blog

Follow us on Twitter @TripwireInc » Watch us at youtube.com/TripwireInc

©2018 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc.
All other product and company names are property of their respective owners. All rights reserved. BRDOSBG1a 1805