Welcome!

Related Topics: @DevOpsSummit, Containers Expo Blog, Cloud Security

@DevOpsSummit: Blog Feed Post

What Is DevSecOps? How to Automate Security Testing | @DevOpsSummit #DevOps #Security

Software applications are complex and can potentially have lots of different types of security issues

What Is DevSecOps? How to Automate Security Testing
By Matt Watson

Every company wants to see their company getting press and media attention. Unless it is due to a hacker and a security breach. Every few weeks you see in the media stories of companies who were hacked. Getting a new credit card every few months because the data was hacked has been routine for most of us. The more that our world revolves around the internet and technology, the more cyber security becomes a big deal.

Software applications are complex and can potentially have lots of different types of security issues. The issues range from bad code to misconfigured servers and everything in between. Solving this problem requires everyone to always be thinking about security implications of what they are working on. DevSecOps is a new movement to do just that. The goal is to get developers to be thinking more about security principles and standards as they are building their applications.

Integrating DevOps + Security = DevSecOps
The goal of DevOps
is to give development teams more ownership in deploying and monitoring their applications. Automating how we provision servers and deploy our applications is at the heart of DevOps. Automation helps us move faster and ship higher quality products.

Adding security to this same automation is the goal of DevSecOps. Companies want to create strong security policies and standards without slowing down the development process. Security has to be part of the process and automated to not slow us down.

Things like DevOps and DevSecOps continue to change the meaning of the software development life cycle (SDLC). This image does a good job of visualizing it.

Tools for Automating Security Testing
One of the goals of DevSecOps is to build security testing into your development process. There are new tools that can be used to help achieve and automate it across the development lifecycle. Here are some of the types of tools that exist:

  • Cloud infrastructure best practices - Tools built into the cloud like Microsoft Azure Advisor and third party tools like evident.io can help scan your configurations for security best practices.
  • Automate security tests - You can now create and run automated security tests just like you would unit tests or integration tests. Gauntlt is a popular free framework for automated these types of tests.
  • Code Analysis - Tools like Veracode can scan your code to find potential vulnerabilities in your own code and open source libraries.
  • Runtime application security - Tools like Contrast Security run within your application in production and can help identify and prevent security issues in real time.

Hopefully, this gives you some ideas of the types of security testing and automation that can be built into your development process. Check out this list on GitHub which provides a huge list of tools and resources.

Security Unit Tests
Application security is something that needs to be thought of when we start writing code. Just as we write and run unit tests, running some automated security tests can help ensure new vulnerabilities were not introduced.  Gauntlt provides some neat capabilities around this.

For example, as part of your deployment process perhaps you provision new servers or deploy some Docker containers. You could then automatically run some various basic security tests.

  • Scan for open ports on your server
  • Test to see if your server responds to pings or not
  • Do an HTTP request and validate the cookies in the response
  • Test various HTTP verbs. Is it supposed to support DELETE, PATCH, etc?

Conclusion
Software and automation continue to change our world. Automation within the software development lifecycle helps us ship our code faster and at a higher quality. Adding security testing into that automation will also help us create more secure applications.  DevSecOps is still a new thing and is evolving quickly. Hopefully, this article gave you a few ideas you can use in the future to improve the security of your apps.

Recommended Resources:

The post What is DevSecOps? How to Automate Security Testing appeared first on Stackify.

Read the original blog entry...

More Stories By Stackify Blog

Stackify offers the only developers-friendly solution that fully integrates error and log management with application performance monitoring and management. Allowing you to easily isolate issues, identify what needs to be fixed quicker and focus your efforts – Support less, Code more. Stackify provides software developers, operations and support managers with an innovative cloud based solution that gives them DevOps insight and allows them to monitor, detect and resolve application issues before they affect the business to ensure a better end user experience. Start your free trial now stackify.com

Latest Stories
Join us at Cloud Expo June 6-8 to find out how to securely connect your cloud app to any cloud or on-premises data source – without complex firewall changes. More users are demanding access to on-premises data from their cloud applications. It’s no longer a “nice-to-have” but an important differentiator that drives competitive advantages. It’s the new “must have” in the hybrid era. Users want capabilities that give them a unified view of the data to get closer to customers and grow business. The...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists looked at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deliver...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
In his session at @ThingsExpo, Eric Lachapelle, CEO of the Professional Evaluation and Certification Board (PECB), provided an overview of various initiatives to certify the security of connected devices and future trends in ensuring public trust of IoT. Eric Lachapelle is the Chief Executive Officer of the Professional Evaluation and Certification Board (PECB), an international certification body. His role is to help companies and individuals to achieve professional, accredited and worldwide re...
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...
IoT solutions exploit operational data generated by Internet-connected smart “things” for the purpose of gaining operational insight and producing “better outcomes” (for example, create new business models, eliminate unscheduled maintenance, etc.). The explosive proliferation of IoT solutions will result in an exponential growth in the volume of IoT data, precipitating significant Information Governance issues: who owns the IoT data, what are the rights/duties of IoT solutions adopters towards t...
It is ironic, but perhaps not unexpected, that many organizations who want the benefits of using an Agile approach to deliver software use a waterfall approach to adopting Agile practices: they form plans, they set milestones, and they measure progress by how many teams they have engaged. Old habits die hard, but like most waterfall software projects, most waterfall-style Agile adoption efforts fail to produce the results desired. The problem is that to get the results they want, they have to ch...
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. ...
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
While DevOps most critically and famously fosters collaboration, communication, and integration through cultural change, culture is more of an output than an input. In order to actively drive cultural evolution, organizations must make substantial organizational and process changes, and adopt new technologies, to encourage a DevOps culture. Moderated by Andi Mann, panelists discussed how to balance these three pillars of DevOps, where to focus attention (and resources), where organizations might...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.