Blog Feed Post

What DevOps Means for Software Security

Over the past few years, the rise of the DevOps movement has led to a significant increase in developer productivity and accelerated the pace of software delivery. Automation plays a big role in modern DevOps-based software development. In fact, it is the automation in testing and deployment that has enabled companies to do multiple releases in a day, compared to the old times where releasing once a week was considered agile development.


DevOps combines elements from multiple disciplines of engineering, QA and operations to define a new paradigm to build software. What does it mean for software security? Unfortunately, most people don’t have a clue and are still trying to shoehorn old security practices into the new DevOps model. Some more enlightened folks are trying to come up with big bang frameworks (similar to the SDLC of yesteryears) to incorporate security with DevOps. SDLC itself is fundamentally different from DevOps as it tries to incorporate a notion of security as gatekeeping between different phases of software development.

Thus, both these approaches are bound to fail for the following reasons:

  • DevOps is not just the sum total of the tooling used for testing, integration and deployment.
  • My DevOps is not the same as your DevOps.

Old security practices cannot be directly lifted and applied to DevOps since it goes beyond just the tooling and process. If you try to automate everything about threat modeling, secure design, secure coding rules, security testing and patch management with every release in the DevOps world, you are setting yourself up for disaster. DevOps is a fundamentally new way to build and deliver software and not a mere combination of all existing tools. You need to make a fundamentally new set of choices in order to assess the security risk of your application.

DevOps also doesn’t lend itself to big process frameworks because, how I choose to implement it may be different from how you choose to implement it. It is the flexibility and lack of rigorous process controls that makes DevOps attractive in the first place. Trying to enforce an SDLC-like process on top of it will not likely find many takers.

It is actually incredibly hard to define what is meant by DevOps without referring to the tools that are commonly used to automate build and deployment. Let’s try and list different facets of DevOps-based software delivery:

  1. The source code of the application resides in a distributed source control management system.
  2. A continuous integration system can automatically run tests on any commit.
  3. Applications can be built and deployed automatically from any commit.
  4. Logs and events from the deployed application are monitored continuously.

A given team or organization may be at different stages of adoption of DevOps and thus may do only one or few of the above. Hopefully, we can all agree that these four items are eventually necessary if we want to claim that all deployments are automated and instantaneous. Since DevOps optimizes for frequent and fast iterations, you can see why it is at odds with security. A security team wants to optimize for fewer incidents and if you try to force security into DevOps you will end up achieving neither.

https://i2.wp.com/blog.xebialabs.com/wp-content/uploads/2017/04/devsecop... 300w, https://i2.wp.com/blog.xebialabs.com/wp-content/uploads/2017/04/devsecop... 768w" sizes="(max-width: 271px) 100vw, 271px" data-recalc-dims="1" />


Crossing the DevOps & Infosec Divide

Featuring Gene Kim, Derek Weeks & Tim Buntel

Even though the DevSecOps movement is in its infancy, there are proven patterns that work and use cases to learn from.

So, Where Does Security Fit into DevOps?

Instead of trying to think about security as something that is a fixed target that you need to aim for, it is better to consider it as a useful property of software that can be gradually improved. If you think this way, you can do a better job of managing risks throughout the Continuous Integration/Continuous Delivery pipeline.

Based on the 4 key elements of DevOps as described above, I would like to suggest the following guidelines that teams can use to improve overall security in a DevOps world.

  • Assess application risk: Even before you start a new project, figure out what risks the application will expose the business to. You do not need to do a full threat modeling exercise (whose benefits are debatable even in SDLC). Simply knowing the kinds of data the application will touch will help plan for better controls later.
  • Require a common baseline security: Do this for all applications, and include things like using CSP, Secure Cookies, TLS only and so on.
  • Enable test driven security: Similar to TDD, write security tests first, let them fail, implement the security control, then verify that the tests passed.
  • Make sure applications are up to date: Developers own the operational security of their application, so empower them to make sure dependencies and libraries are up to date.
  • Manage secrets in code: Alternatively, you can also do this on servers to prevent leaks.
  • Build centralized security services: This frees up others so they don’t have to manage keys and certificates, and so on.
  • Test and audit the underlying infrastructure: For example, make sure you check TLS configuration daily (I cannot stress this enough given the number of times we have had an expired certificate lead to a production incident) for certificate expiry and cipher suites.
  • Incident response plan: Eventually things will go bad; always have an incident response plan and follow it.

You may have noticed I did not use words like scanning, checking and certifying, which are typically associated with application security. I also purposely did not name any tool since I wanted to present a set of generic guidelines.

Towards Continuous Security

If you think about security holistically you will realize that, much like DevOps, it requires a multi-disciplinary approach in order to be successful. Just like we can continuously deliver features over time, we can aim to make our software more robust and secure over time. When you follow this mindset you tend to design systems with security built in. Remember continuous security is just security with DevOps.

This blog was originally published at: http://bit.ly/2uFMDNb. It has been edited slightly for clarity.

For more information on DevOps Security, see the following post by DevOps thought leader and author, Gene Kim:

10 Tips for Integrating Security into DevOps

The post What DevOps Means for Software Security appeared first on XebiaLabs Blog.

Read the original blog entry...

More Stories By XebiaLabs Blog

XebiaLabs is the technology leader for automation software for DevOps and Continuous Delivery. It focuses on helping companies accelerate the delivery of new software in the most efficient manner. Its products are simple to use, quick to implement, and provide robust enterprise technology.

Latest Stories
SYS-CON Events announced today that Daiya Industry will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Daiya Industry specializes in orthotic support systems and assistive devices with pneumatic artificial muscles in order to contribute to an extended healthy life expectancy. For more information, please visit https://www.daiyak...
SYS-CON Events announced today that Nihon Micron will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nihon Micron Co., Ltd. strives for technological innovation to establish high-density, high-precision processing technology for providing printed circuit board and metal mount RFID tags used for communication devices. For more inf...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Suzuki Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Suzuki Inc. is a semiconductor-related business, including sales of consuming parts, parts repair, and maintenance for semiconductor manufacturing machines, etc. It is also a health care business providing experimental research for...
"Our strategy is to focus on the hyperscale providers - AWS, Azure, and Google. Over the last year we saw that a lot of developers need to learn how to do their job in the cloud and we see this DevOps movement that we are catering to with our content," stated Alessandro Fasan, Head of Global Sales at Cloud Academy, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
Cloud-based disaster recovery is critical to any production environment and is a high priority for many enterprise organizations today. Nearly 40% of organizations have had to execute their BCDR plan due to a service disruption in the past two years. Zerto on IBM Cloud offer VMware and Microsoft customers simple, automated recovery of on-premise VMware and Microsoft workloads to IBM Cloud data centers.
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
Elon Musk is among the notable industry figures who worries about the power of AI to destroy rather than help society. Mark Zuckerberg, on the other hand, embraces all that is going on. AI is most powerful when deployed across the vast networks being built for Internets of Things in the manufacturing, transportation and logistics, retail, healthcare, government and other sectors. Is AI transforming IoT for the good or the bad? Do we need to worry about its potential destructive power? Or will we...
SYS-CON Events announced today that B2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. B2Cloud specializes in IoT devices for preventive and predictive maintenance in any kind of equipment retrieving data like Energy consumption, working time, temperature, humidity, pressure, etc.