The concept of DevSecOps is simple: By integrating security into the DevOps process, businesses introduce security earlier in the software development lifecycle, enabling cyber protection to “shift left,” reducing risks and eliminating costly rework.
Although the concept is easy to understand, implementing it isn’t easy, particularly with legacy security technologies. Most mainstream security is built on monolithic software stacks that don’t integrate easily with modernized app development tools and processes. Some security vendors have made software development kits available, but this typically requires some heavy lifting and throws the concept of continuous integration and continuous development, or CI/CD, out the window.
This week, Zscaler Inc. made generally available previously announced new integrations with HashiCorp for its recently introduced cloud-native application protection platform Posture Control. The integrations between Zscaler’s Posture Control and HashiCorp’s Terraform solutions help DevOps teams and customers easily automate security and ensure that security guardrails are consistently incorporated into all aspects of the application environment.
The integration is particularly critical when adopting “infrastructure as code” as part of CI/CD pipelines. This enables the concept of shift-left to become a reality and reduces friction between development and security teams, providing rapid application deployment and better security posture.
With the software supply chain becoming an increasingly common target for sophisticated cyber attackers, it is imperative for organizations to protect their CI/CD pipelines. HashiCorp’s Terraform is one of the most popular and extensible open-source tools for defining and creating repeatable cloud infrastructure through code. It allows DevOps teams to configure their infrastructure and services using HashiCorp Configuration Language.
A Terraform provider interacts with the various application programming interfaces required to create, update and delete resources. Terraform is used to manage infrastructure through cloud providers, such as Amazon Web Services Inc., Microsoft Corp.’s Azure and Google Cloud Platform, but also can be used to manage platform as a service or PaaS and software as a service or SaaS resources.
Each time a Terraform script is executed, it stores information about service configuration. Zscaler Posture Control integrates with development and DevOps tools across the development lifecycle to scan, identify and fix misconfigurations in Terraform templates and to prevent drift between the intended state and what is running in production. It detects misconfigurations in Terraform templates by comparing the code against hundreds of pre-defined and custom policies. Posture Control provides remediation guidance and commit-ready fix recommendations within developer workflows.
Although the concept of DevSecOps has been bandied about for a while, there is some urgency for businesses to embrace it. The biggest driver is the rise of multicloud and cloud-native services. The adoption of cloud has been strong, but many early cloud deployments were more akin to hosted monolithic software, the result of migrating virtual machines from the data center to the cloud. Over the past several years, the major cloud providers have added dozens of cloud-native services, many of which are now widely adopted.
Another driver is the massive number of breaches today. Companies are spending a record amount on cyber protection and yet breaches are at an all-time high. Threat actors are using cloud-native automation tools and businesses can no longer defend with point products scattered across the network. DevSecOps builds security into application development, minimizing the likelihood that security vulnerabilities will ever make it into a product cloud environment.
Lastly, CI/CD methodologies make compliance a challenge as rapid release cycles create constant testing, measurement and remediation. Security-as-code bakes threat protection into the application and infrastructure throughout this process.
The advantages of taking an approach like this include the ability to:
- Unify visibility across multicloud deployments to enforce guardrails and meet compliance requirements.
- Identify and remediate misconfigurations and policy violations in CI/CD pipelines so vulnerabilities don’t make it to the cloud.
- Empower developers with integrated remediation guidance and recommendations to resolve security issues on their own, lowering friction and avoiding costly rework.
- Continuously monitor automated deployment processes and production environments for changes and compliance violations.
This is an innovative step for Zscaler because it demonstrates the importance of having a cloud-native back end. To date, much of Zscaler’s success has come from being a “cost-efficient, faster and highly scalable” replacement to on-premises infrastructures. Instead of having to deploy security tools everywhere, companies can just direct traffic to the Zscaler cloud, reducing cost and operational overhead and, most importantly, eliminating the risks of introducing the possibility of lateral movement from bad actors.
It has been my experience that the first wave of adoption of any new technology is to make the new thing look like the old thing and that was certainly true for Zscaler. Customers that are frustrated with the legacy moat-and-castle model used Zscaler as a more efficient, easier to manage model in a highly distributed model.
The second wave of new technology is to understand the unique capabilities of it and do things you could not do before. Virtualization went through this, where early adopters used it to simplify managing servers. Eventually features such as vMotion were created that were unique to virtual servers.
Similarly, DevSecOps is difficult to achieve with legacy development processes and security tools, but easy to do when pairing automation tools such as Hashicorp’s Terraform with cloud-native protection platforms such as Zscaler’s Posture Control.