DevSecOps for Authorization

1. Overview

What is DevSecOps? DevSecOps refers to the strategy of development, security, and operations teams working hand-in-hand on their projects, rather than working in isolation. Each component of DevSecOps – development, security, and operations – is meant to be integrated into the processes of its fellow components. For example, in terms of security, DevOps should be part of the lifecycle of security procedures. 

If we are to apply DevOps to security, we must treat security as code. In this article, we will review how by treating authorization policies as code, we can effectively bring authorization into the strategy of DevSecOps.  

2. Centralized and Externalized Access ControI

In order to practice the agility and responsiveness that the strategy of DevSecOps calls for, access control must be centralized and externalized from applications, similar to what is described in the eXtensible Access Control Markup Language (XACML). Centralizing and externalization authorization also makes an organization safer as well because the security policies are in one place rather than baked into every application. This means we have to review one set of policies rather than several! 

A modern trend is microservices. A common issue is a microservice implementing authorization and not following the the principle of single responsibility. Both monolithic and microservice applications need to externalize and centralize their authorization.

3. Version Control of Policies

In order to treat security as code, we need to apply version control our authorization policies. The benefits of using version control on our policies include:

  • The ability to roll back to a previous policy if an issue is encountered with a new version.
  • To properly deploy policy in development, QA, and production.
  • To effectively collaborate within a security policy team, as you can compare policies, identify differences, and merge changes as see fit.

As we can see, the benefits of using version control amount to more agility and responsiveness, which are cornerstones of DevSecOps. 

4. Automation

By integrating our externalized and centralized authorization software with an automation server, such as Jenkins, we can automate:

  • Deployment of policies from our version control system, such as Git.
  • Acceptance tests that ensure that critical authorization errors aren’t part of the new policy. 

5. Conclusion

By following the DevSecOps principles we discussed here today, we can greatly improve the efficiency and responsiveness of authorization. The benefits of implementing these changes lead to a more secure organization. 

To read more about modern authorization, check out my posts Authorizing Resources Based On Who Created Them and Expression-Based Access Control.

Published by Michael

I started my website in 2017 to help people learn more about information technology in order to help them become more successful in their careers. I earned my bachelor's degree from New York University, have been working in cyber security since 2012, and live in the Washington D.C. Metro area. I have found running a blog to be one of the greatest assets in helping my career and have found it could even bring in a few extra bucks each month. Starting a blog is easy and rewarding. To keep my knowledge current, I take courses on Udemy and Treehouse. By using my links, you can get a discount on both.

Leave a comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: