DevSecOps is the New DevOps

DevOps offers quicker delivery of products without loss of quality, but fails to integrate security as part of the cultural and technical transformation.

When organisations neglect security during development, the risk of security exposures dramatically increases.

Take, for example, the infamous SolarWinds attack in which attackers inserted a backdoor into SolarWinds’ software, resulting in the compromise of organisations worldwide, exposing sensitive data to attackers and exposing their systems to further manipulation.

More recently, the GitHub Action tj-actions/changed-files attack in which repository secrets were exposed, potentially giving attackers access to proprietary data.

Growing Impacts of Security Failures

In the past, it was often easy to dismiss security as something mainly required by specific sectors, something accomplished with ISO certifications or purchased off the shelf.

However, as industry, commerce, and even daily life have grown dependent on digital technology, so has the negative impact of a security breach.

In recent years there has been a rise in legal security requirements in the EU, UK and US, such as the EU Cyber Resilience Act.

You can’t secure software products by simply performing audits or patching after development. Nor can a product provide the solution - the only way to move forward is to bring security into every process and elevate it in the minds of all employees.

Enter DevSecOps

DevSecOps reflects a fundamental shift left approach of integrating security throughout your processes, as well as embedding it within your culture.

On the technical side, this means incorporating supply chain validation techniques and security linting into build pipelines and deploying validated images into your Kubernetes clusters.

More impactful, on the cultural side it means educating engineers and managers of all stripes on security practices, incorporating security champions into organizational structures, and preparing processes for teams to rapidly respond to newly discovered vulnerabilities.

Implementing Technical Approaches to DevSecOps

DevSecOps requires extending technical processes significantly, for example:

• Managing artefact and container image signatures and attestations to ensure integrity and provenance
• Integrating static application security testing (SAST) tools into application build pipelines
• Running security tools such as tfsec as part of Infrastructure-as-Code (IaC) pipelines
• Extending observability and monitoring tools and processes to detect and respond to security incidents
• Implementing software composition analysis (SCA) to identify vulnerable third-party libraries and dependencies
• Automating secrets detection in source code repositories and enforcing secure secrets management practices

Let’s examine two practical defenses against supply chain attacks.

Case Study: tj-actions/changed-files GitHub Action Attack

Looking back at tj-actions/changed-files as an example, there are several straightforward mitigations that can be applied.

First a naive approach, pulling with a pinned version:

- uses: tj-actions/changed-files@v46
  id: changed-files
  with:
    ...

Instead, pin to a specific commit, preventing tag-based substitution attacks, a common supply-chain attack:

- uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
  id: changed-files
  with:
    ...

Obviously this requires additional automation in all but the smallest projects to ensure pinned versions are kept up-to-date. Offerings like Dependabot (for GitHub users) or Renovatebot offer the ability to automatically open pull requests to update dependencies.

Despite the significant risks of not pinning by commit, only around 3% of public GitHub repositories using GitHub Actions do so!

Image Signing and Validation

A related concept is performing image signing, ensuring the image your build system pushed is what actually gets deployed. Image signing using tools like Cosign or Sigstore ensures that your CI-generated images can’t be spoofed even if your internal registry is compromised. Combine this with Kubernetes admission controllers (e.g., Kyverno, Gatekeeper) that verify the images before allowing workloads to run, and you can be confident that your cluster is running the trusted workload you meant to deploy.

Let’s look at how a pipeline could integrate cosign to sign images. This snippet could execute in a GitHub Actions pipeline, and uses GitHub OIDC to provide keyless signing and verification.

# Note that this process stores public information in the transparency log.
cosign sign workload
# Verify images signed by the pipeline
cosign verify \
--certificate-identity-regexp
https://github.com/controlplaneio/a-service/.github/workflows/workload.yml.* \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/controlplaneio/a-service/workload@sha256:b2d2d...

Now, using Sigstore you can create the following policy to ensure that the signed image is verified before use in the cluster:

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
spec:
authorities:
- name: keyless
keyless:
url: "https://fulcio.sigstore.dev"
identities:
- issuer: https://token.actions.githubusercontent.com
subject: "https://github.com/controlplaneio/a-service/.github/workflows/..."

But signing and validation isn’t just for images - for instance Helm OCI repositories can use the helm signtore plugin to provide similar assurances.

DevSecOps Requires a Cultural Shift

While the technical side of DevSecOps is important, none of the security processes will work unless your team’s culture accepts and understands the changes. The new security processes will increase friction in day-to-day work, especially early in the transformation, potentially frustrating engineers. Combat this by:

• Educating developers on the specific business risks that new processes mitigate
• Demonstrate attacks that your new workflows are designed to prevent
• Appoint security champions for teams
• Encourage investment in automation to reduce the major pain points

How We Can Help

Our ControlPlane team has extensive experience guiding organisations of all sizes through DevSecOps transformations. Contact us or learn more about our offerings.