Is DevOps secure?
- 01 October, 2015 10:41
Opinion | DevOps — one of the biggest trends in software development among startups and big business alike — first began in 2007. Its aim is to increase the speed at which companies develop and publish software.
At its heart, DevOps was intended to remove the silos between different departments, particularly developers and operations staff, that slowed fast-moving organisations and prevented quick iterations of software. It has caught on quickly, and, given the results when implemented effectively, it’s easy to see why.
For some, however, removing those points of friction or resistance can translate to removing anything at all that slows down the process — including risk management, audits and other security best practices. So if a company adopts DevOps, do their products become less secure?
When Facebook founder Mark Zuckerberg famously said “move fast and break things”, he wasn’t referring to leaving major security gaps in the social network.
There’s no doubt that security is still paramount, regardless of how quickly a company iterates on its software. But how does one successfully move to a DevOps-oriented environment and maintain that pace of innovation without developing security holes that could lead to a major attack down the road?
The cultural changeAs with any company overhaul, DevOps is fundamentally a cultural shift and one that must be managed carefully. Approached too literally, DevOps could be seen purely as the removal of barriers between development and operations departments. But DevOps is about more than just those two departments.
A true DevOps environment is one that greases the wheels between developers, operations, security, administrators and management — all of the puzzle pieces that go into software development and maintenance.
Embracing staff from all departments attached to the software development lifecycle is crucial to ensuring a company-wide transition comes off without a hitch.
It’s a significant cultural change for any organisation and one that takes time, particularly when it comes to aspects of the organisation that are prone to moving slowly and cautiously.
Though dedicated security staff will no doubt continue to be a major part of any software team, part of handling the cultural change for DevOps is instilling the attitude that security is everyone’s responsibility. Fostering an environment in which this attitude is held is vital to ensuring that DevOps is implemented smoothly, and that security is considered at every stage of the process.
Security from day oneSecurity can sometimes be an afterthought in any software development process, a checkbox that’s ticked at the end of development in the hopes of ensuring that there isn’t a disaster down the road.
But involving security personnel and processes from the first day of design and development helps ensure that the product has security baked in, rather than tacked on.
That means designing and managing the environment in which systems and applications are developed and deployed with security in mind.
Hardening these environments provides a base upon which to develop secure systems, while ensuring that development, test, and production environments are configured as similarly as possible and in an automated manner enables smooth and repeatable development and deployment.
Many tools exist to automate some of the more mundane elements of the development process with an emphasis on security, such as code analysis, environment monitoring and alerting, and exception reporting.
Other operations can also be automated to allow for staff to operate more efficiently and focus on responding to anomalies, rather than spending time finding them.
Security-enabled DevOps also requires companies to ensure that development staff have knowledge of security best practices and how they are impacted by design and implementation choices.
Training them to be aware of and sensitive to security throughout the development process will support development that is informed by security while minimising rework required by issues identified during code audits.
Ultimately, the biggest shift a company has to undergo when it comes to security and DevOps is moving from a state of periodic security checks, to constant security awareness and visibility.
In support of this, it is important to ensure that relevant information is provided to security staff so that they can provide timely input into the development process, thereby ensuring that they add as little friction as possible.
Maintaining the security of one’s applications shouldn’t be a one-in-three-month audit process, particularly in a DevOps environment. Instead, security processes should be a part of day to day life.
Zuckerberg no longer says “move fast and break things”; his new motto is “move fast with stable infrastructure”, which is one to which many DevOps teams can no doubt relate.
Theo Peterson is information assurance manager at Bulletproof Group.