DevOps, an enabler for Software Security?

DevOps has become a popular concept. Google Trends confirms that the popularity of the concept DevOps has exploded. It is not only popular, but there is also a demand for DevOps, which is shown by traditional organisations moving towards DevOps for cloud-based software developments. Because the focus of DevOps is on the fast delivery of new functionality, software security tends to get snowed under. Fortunately, this is not necessarily always the case.

DevOps

DevOps is a software development method in which collaboration between teams of developers, tester and system administrators is stimulated. This collaboration is an enabler for shortening the time-to-market, to increase the stability of releases and to quicker resolve failures and/or incidents. To accomplish this, DevOps is often combined with elements of Continuous Delivery and Continuous Deployment such as standardized development environments, automation of test- and integration processes and automated installation and distribution of applications (deployment). This increases the predictability and efficiency of software releases.

Criticism

The advantages of DevOps sound too good to be true. One of the common critiques is that a developer within a DevOps organisation, a full-stack developer, requires knowledge and experience in many domains: server- and network-infrastructures, application-servers, data modeling and management, business logic, APIs, software frameworks and libraries, user interfaces and of course the requirements of the customer. Critics argue that one single person cannot have all this knowledge and experience, especially in large organisations.

Security specialists have other concerns. First of all, they claim that the culture within DevOps organisations is illsuited for secure software development. There is a strong focus on shortening time-to-market to deliver new functionality. The criticism is that less priority is given to non-functional or invisible aspects such as security. The result: less secure software in production.

The second concern is about the pace of the software development process. Fast changes in configuration and code can lead to new security risks. Security vulnerabilities can be detected at an early stage by applying automated security tests. However, not all classes of security vulnerabilities can be detected by using automated tools. A well-known example is logical flaws. Manual security reviews (code review, penetration tests), which are time-consuming, are still required. The pace of the software development process within a DevOps environment can make the result of these reviews obsolete.

To summarize, DevOps can lead to undiscovered security risks. However, DevOps does provide wide opportunities to increase the level of software security.

Advantages of DevOps for software security

During the security assessments that we perform as SIG we see that organisations that apply DevOps exhibit several advantages regarding software security:

1. DevOps teams have a better overview of the chain of server- and networking infrastructure to the application, which sheds light on security weaknesses in that chain.
   Security is everywhere. Security mechanisms should be built in in both the infrastructure and the application. Optimal collaboration between developers, security specialists and operational teams enables the identification of threats regarding the entire chain and acting upon them. In addition, it will be easier to perform a security analysis when knowledge about the whole chain is shared amongst a group of people.
2. With DevOps, a wider scope of responsibilities stimulates a development team to prevent incidents instead of solving them when they occur.
   The integration of developers, operational teams and (security) specialists gives team members a greater sense of responsibility to keep an application running smoothly and securely. This is also because they must clean the wreckage after an incident themselves. A team therefore has incentive to come up with solutions that prevent those incidents.
3. With the help of tooling and automated (test-) processes, vulnerabilities are found earlier.
   In a strict sense, DevOps does not necessarily encompass test automation, packaging, installation and distribution of applications (deployment). They are often performed together in the team though for obvious reasons. Fortunately, security testing can (partly) be automated and can be part of an automated development pipeline. This allows for quick identification and feedback of vulnerabilities.
4. Shorter release times allow for quicker resolution times.
   Software security is not only about preventing vulnerabilities, but also about detection of and response to incidents. By means of team collaboration, more knowledge and experience is available to configure detection systems such that also application-specific incidents can be detected (as opposed to incidents that appear on the network as a whole such as a Denial of Service attack). With short release cycles, the root cause of those incidents, the vulnerabilities, can be resolved quickly.

Measure to manage

Clearly, applying DevOps by itself does not automatically make an application more secure. The introduction of DevOps in a software development organisation does provide opportunities to implement or improve a Secure Software Development Life Cycle (SSDLC). A SSDLC is a process that helps developers realize secure software during the complete software development process, instead of thinking about software security after the fact. Within such a SSDLC we may distinguish a couple of security activities such as threat modeling, code review supplemented with static code analysis tools and using vulnerability scanners.

“Pure” DevOps environments often manage on IT performance-related metrics such as deployment frequency and deployment lead time. If one would only manage on those metrics, the risk appears that this neglects software security (after all, if it is not measured, it is easily overseen). Therefore, organisations must also carefully determine security metrics to ensure that software security can be improved in a measurable manner.

In our experience, a proper first step is to determine how successful an organisation is in integrating security in the software development process. In a SIG security assessment we perform such security measurements. With the help of a structured approach and model we inspect to what degree security activities of a SSDLC are being performed by an organisation during the development of a software product, and how well those activities are executed.

Theodoor Scholte