DevOps requires automation and testing to ensure application security

DevOps is known for continuous delivery and rapid iteration - almost the exact opposite of enterprise security, which can be seen as slow-moving and overly cautious. As more companies move toward DevOps as a means of delivering and maintaining applications, security becomes critical to plug gaps and prevent data breaches--especially in the continuous delivery pipeline, which can introduce more holes for hackers to wriggle into. Experts advise carefully designing the delivery pipeline and testing everything as thoroughly as possible, as well as implementing security best practices throughout the entire DevOps lifecycle.

Security is everywhere in continuous delivery, according to Ben Grinnell, global head of technology and digital at North Highland. "In a modern DevOps world, everything possible is scripted and automated, and everything is under version control, including the code, the environments, the infrastructure, and the scripts and continuous integration (CI) tools themselves," he said.

The additional rigor in DevOps, including more testing and measurement that's done in automated, repeatable ways, can actually foster a more secure environment. Security can be designed into systems at the beginning, instead of testing at the end, Grinnell said.

Bring in the entire team

In DevOps, developers have the advantage of working in cross-functional environments that include operations and security team members, which offers the opportunity to understand threats and mitigations before a project even begins, Grinnell said.

However, this may require a new way of working. Developers will need to become accustomed to thinking about how their code can be supported in the operational environment, as well as write tests and consider test coverage, Grinnell said. They'll also need to broaden their skill sets. The good news is, despite the extra work, this does reduce job frustration.

IT leader's guide to making DevOps work

More and more organizations are jumping on the DevOps bandwagon and benefiting from increased productivity and a smoother workflow. This ebook looks at how you can get the most from the DevOps approach. Free for Tech Pro Research subscribers.

Get extra training

To truly understand how to secure applications, developers may need specific security training, according to George Gerchow, VP of security and compliance at Sumo Logic. This includes code review, short sprints, understanding what libraries are safe to use, and setting up feature flags that code each piece, he said.

Employ automated scans

According to Nate Reynolds, head of engineering at ReviewTrackers, any time a human, machine, or bot has access to the delivery pipeline, risk is introduced. "Security flushing and thorough testing should be top of mind when implementing a true continuous delivery approach, he said. "Additional risk lies in giving another point (CD pipeline) access to your production servers. If unintended access to that machine occurs (such as from an external party) your DB, app server, etc., are at risk"

Reynolds advised documenting security groups and auditing them regularly. He also emphasized the critical importance of testing. "You should do three things: test, test, and test," he said, noting that human decisions are often are flawed. Coding in particular can be prone to error, despite someone's best efforts. While product software engineers write tests for their application code, DevOps code doesn't always receive the same treatment, which leads to problems.

Some experts will take that one step further and specifically mention checking known security flaws. "Code may not be in a static state long enough for traditional infrastructure security testing to be relevant at delivery time," said George Lerma, DevOps engineer at Armor. Because the time between writing code and delivery can be small, security flaws can be written in without developers realizing it.

Security automation is critical in the continuous delivery cycle, Lerma said. This includes integrating automatic static-code analysis of source code and automated vulnerability scanning tools in testing and preproduction systems to warn of vulnerabilities.

Automate infrastructure management

Many of the weaknesses lie in traditional IT management concepts, and continuous delivery's rapid changes can make it difficult for IT teams to keep up with engineering, Lerma said. For example, managing and administering dozens or hundreds of servers manually can lead to inadvertent security vulnerabilities due to inconsistencies.

Automated management of IT infrastructure, such as the way code is automated, can minimize the chances of the system being put in a vulnerable state, Lerma said. "With automation frameworks such as Chef, Ansible, and Puppet, the concepts of CD for code can be applied to the automation orchestration of IT infrastructure, helping them minimize or remove their attack vector."

But that doesn't mean peer reviews aren't necessary. On the contrary, Lerma advises them to help identify logic or security flaws or other items that automation may miss. And depending on the amount of change implemented, human application logic testing may also be needed, he said.

Using DevOps methodology can actually provide an opportunity to bake more security into applications. According to experts, the key is to start with security at the outset, then test and employ human review to ensure that vulnerabilities aren't sneaking in to the code.