What security experts need to know about DevOps and continuous delivery
There are a lot of terms thrown around in modern IT and software engineering organizations — DevOps, continuous delivery and build pipelines are just a few examples. People are Kanbanning and sprinting like crazy and developers are deploying to production multiple times a day. Ten years ago this would have been seen as ludicrous, but now its standard operating procedure. The benefits of using DevOps and high-throughput development and operations flow methods has been researched and proven again and again. Like it or not DevOps, and all it entails, is here to stay.
The problem is that security teams are often left out of the new development world either due to organizational inertia, lack of cutting edge development expertise, or a general lack of resources. Additionally, when security is included the discussion, they often feel out of their element with the new vocabulary of these practices. To help alleviate the stress of learning a whole new language, we at Signal Sciences have broken down some of the new development terms to help you understand their implications on security.
DevOps
DevOps tried for a long time to resist definition. In the early days you would often find only statements on culture and the impact DevOps will have on culture, but one of our current favorite definitions of DevOps is:
“DevOps is the application of Agile methodology to system administration”
—
, The Practice of Cloud System Administration
There is an excellent article by Ernest Mueller (@ernestmueller) over at The Agile Admin titled What is DevOps? To summarize that article, DevOps is the continuation of agile practices from development into operations. That may still be too vague, but one popular and oft-cited model is the framework proposed by
and to help bring definition to DevOps by using what they call the CAMS model.- Culture
- Automation
- Measurement
- Sharing
DevOps is not just about automation frameworks, monitoring, or infrastructure as code. All those things play a part, but DevOps is a more culture-centric and holistic approach to IT and application development.
What does DevOps mean for Security?
In the early years there were lots of security professionals blowing off the notion of DevOps. Many of them proclaiming it a buzzword or a fad. The first thing we as security professionals must realize is that DevOps is here to stay. We must accept it, embrace it, and just maybe, the grass is greener on this side of the fence.
Secondly, there is an urge to protest against DevOps with arguments regarding “separation of duties”. If you fall into this camp, you need to read the DevOps Audit Defense Toolkit. It will open your eyes to what separation of duties is intended for and how DevOps integrates into environments requiring heavy separation of duties.
Lastly, security professionals must see DevOps as an opportunity for increased security. With DevOps placing a much higher emphasis on monitoring and measurement, now is the time to expose security event data to your operations dashboards and integrate operational insight into your security decisions.
We at
provide a NextGen Web Application Firewall that provides increased security, monitoring, and visibility to attacks happening in real time. While we, of course, recommend using our solutions, we recognize that there is no silver bullet technology to application security. The most important trick to improving security in a DevOps world is that all software and tooling used by the security and operational teams must integrate into reporting and monitoring dashboards creating visibility into the runtime security state. To be successful, security must be transparent in the organization while simultaneously adding visibility across the board.Continuous Delivery
Mentioning the words “continuous delivery” often instills panic tremors in a security professional. Old school developers will say things like: “You mean a developer checks in code and within minutes it is live… on the site?! It feels weird. Why in the world would someone think that is a good idea?!”
Continuous delivery is not merely how often you deliver but how little you can deliver at a time
—
High code latency (the amount of time completed work sits unused) is similar to a high WIP in manufacturing. Its bad for business. It delays other projects, hinders time-to-value, and has a greater chance for uncaught errors. Small batch releases make integration much smoother and has a lower error rate.
How does continuous delivery affect Security?
Continuous delivery brings a huge benefit to security in a lower mean time to remediation (MTTR). WhiteHat Security released a report in 2014 with this alarming statistic:
Serious vulnerabilities were resolved in an average of 193 days from first notification.
Continuous delivery enables development organizations to shrink the time to resolve a significant vulnerability by making it equal to the time it takes for someone to write and test the fix. No more waiting until the next release cycle or being tied to other system upgrades. Low time to remediate is an enormous benefit to security. Of course, being able to do continuous delivery well, hinges on a solid build pipeline.
Build Pipelines
Build pipelines live hand-in-hand with continuous delivery. You can’t really do continuous delivery without them. Often when people talk about build pipelines, they mean the entire build and test system (e.g. Jenkins) that integrates with their version control system (e.g. Github). The build pipeline automatically detects changes, pulls down source code, runs the required tests, and fires a signal to the deploy system that a build is ready to deploy.
Most shops have a mechanism at the end of the build pipeline where an engineer can choose to deploy the build. That is assuming the build properly passed through the all the tests making it cleared to be deployed.
Security in a Build Pipeline
It is probably already apparent that this offers a really great place to put security testing and tooling. Here are some ideas to get you started.
- Run attack tools on every build (e.g. Gauntlt)
- Automatic build based static-code analysis
- Trigger alerts on changes to the sensitive portions of your code base
- Run asynchronous audits of infrastructure and your network
Summary
These high-throughput teams and practices are now the norm and its our job to integrate security into them. They are providing a vehicle for security in an organization to improve. The only thing that should be considered ludicrous about DevOps practices now is not participating in them.
Signal Sciences’ industry first Next Generation Web Application Firewall is a SaaS security solution designed to help you prioritize your defensive efforts on the areas of your web site targeted most by attackers. Signal Sciences’ solutions impose practical difficulties on attackers, without breaking real customer traffic. Signal Sciences provides production web security and attack visibility allowing you to improve your application security operations.
