DevOps is known for continuous delivery and rapid iteration - almost the exact opposite of enterprise security, which can be seen as slow-moving and overly cautious. As more companies move toward DevOps as a means of delivering and maintaining applications, security becomes critical to plug gaps and prevent data breaches--especially in the continuous delivery pipeline, which can introduce more holes for hackers to wriggle into. Experts advise carefully designing the delivery pipeline and testing everything as thoroughly as possible, as well as implementing security best practices throughout the entire DevOps lifecycle.
Security is everywhere in continuous delivery, according to Ben Grinnell, global head of technology and digital at North Highland. "In a modern DevOps world, everything possible is scripted and automated, and everything is under version control, including the code, the environments, the infrastructure, and the scripts and continuous integration (CI) tools themselves," he said.
The additional rigor in DevOps, including more testing and measurement that's done in automated, repeatable ways, can actually foster a more secure environment. Security can be designed into systems at the beginning, instead of testing at the end, Grinnell said.
Bring in the entire team
In DevOps, developers have the advantage of working in cross-functional environments that include operations and security team members, which offers the opportunity to understand threats and mitigations before a project even begins, Grinnell said.
However, this may require a new way of working. Developers will need to become accustomed to thinking about how their code can be supported in the operational environment, as well as write tests and consider test coverage, Grinnell said. They'll also need to broaden their skill sets. The good news is, despite the extra work, this does reduce job frustration.
IT leader's guide to making DevOps work
More and more organizations are jumping on the DevOps bandwagon and benefiting from increased productivity and a smoother workflow. This ebook looks at how you can get the most from the DevOps approach. Free for Tech Pro Research subscribers.
Get extra training
To truly understand how to secure applications, developers may need specific security training, according to George Gerchow, VP of security and compliance at Sumo Logic. This includes code review, short sprints, understanding what libraries are safe to use, and setting up feature flags that code each piece, he said.
Employ automated scans
According to Nate Reynolds, head of engineering at ReviewTrackers, any time a human, machine, or bot has access to the delivery pipeline, risk is introduced. "Security flushing and thorough testing should be top of mind when implementing a true continuous delivery approach, he said. "Additional risk lies in giving another point (CD pipeline) access to your production servers. If unintended access to that machine occurs (such as from an external party) your DB, app server, etc., are at risk"
Reynolds advised documenting security groups and auditing them regularly. He also emphasized the critical importance of testing. "You should do three things: test, test, and test," he said, noting that human decisions are often are flawed. Coding in particular can be prone to error, despite someone's best efforts. While product software engineers write tests for their application code, DevOps code doesn't always receive the same treatment, which leads to problems.
Some experts will take that one step further and specifically mention checking known security flaws. "Code may not be in a static state long enough for traditional infrastructure security testing to be relevant at delivery time," said George Lerma, DevOps engineer at Armor. Because the time between writing code and delivery can be small, security flaws can be written in without developers realizing it.
Security automation is critical in the continuous delivery cycle, Lerma said. This includes integrating automatic static-code analysis of source code and automated vulnerability scanning tools in testing and preproduction systems to warn of vulnerabilities.
Automate infrastructure management
Many of the weaknesses lie in traditional IT management concepts, and continuous delivery's rapid changes can make it difficult for IT teams to keep up with engineering, Lerma said. For example, managing and administering dozens or hundreds of servers manually can lead to inadvertent security vulnerabilities due to inconsistencies.
Automated management of IT infrastructure, such as the way code is automated, can minimize the chances of the system being put in a vulnerable state, Lerma said. "With automation frameworks such as Chef, Ansible, and Puppet, the concepts of CD for code can be applied to the automation orchestration of IT infrastructure, helping them minimize or remove their attack vector."
But that doesn't mean peer reviews aren't necessary. On the contrary, Lerma advises them to help identify logic or security flaws or other items that automation may miss. And depending on the amount of change implemented, human application logic testing may also be needed, he said.
Using DevOps methodology can actually provide an opportunity to bake more security into applications. According to experts, the key is to start with security at the outset, then test and employ human review to ensure that vulnerabilities aren't sneaking in to the code.
More From Tech Pro Research
-
Downloads
Kubernetes: A guide for IT pros and business leaders
Kubernetes enables the deployment, scaling, and management of containerized applications. This ebook explains why the ecosystem matters, ways to take advantage of it, and how it may contribute to the ...
-
eBooks
Top cloud providers 2019: A leader’s guide to the major players
Competition in the cloud computing space is heating up this year. This ebook offers a look at the relative merits, advantages, and shortcomings of the most prominent contenders. From the ebook: T...
-
Tools & Templates
Telecommuting policy
As more and more employees request the opportunity to perform some or all of their work from a remote location, the need has grown for organizations to have clearly defined guidelines that govern empl...
-
Tools & Templates
Feature comparison: Data analytics software and services
Finding the best data analytics software, services, and tools for your business requires extended research and a systematic evaluation of features. This download includes an overview of factors to con...
-
eBooks
Spectre and Meltdown: An insider’s guide
Design flaws in modern chip design have emerged as a significant threat to the security of data on PCs and mobile devices. This comprehensive ebook delves into two prominent vulnerabilities—Spectre an...
-
Tools & Templates
Comparison chart: VPN service providers
Selecting the right VPN provider for your needs requires a fair bit of legwork because the choices are many and the offerings vary greatly. This quick-glance chart rounds up 15 of the top contenders a...
-
Downloads
5G Research Report 2019: The enterprise is eager to adopt, despite cost concerns and availability
5G: The next-generation wireless network is finally a reality, and businesses remain eager to embrace this new technology. 5G will be popularized via telecom carriers and the marketing of wire-cutting...
-
eBooks
IoT security: A guide for IT leaders
The Internet of Things is delivering data and helpful insights to organizations around the world--but it has also introduced new and potentially devastating vulnerabilities. This ebook offers a compre...
-
Tools & Templates
Resource and data recovery policy
Employees, data, and resources are three of the biggest assets in any organization. All employees should be familiar with the processes for recovering information if it becomes lost, inaccessible, or ...
-
Tools & Templates
Feature comparison: CRM software and services
Choosing a CRM solution requires strategy, thoughtful consideration, and more than a little research. These guidelines and comparison tool provide a customizable framework your business can use to fin...
-
Tools & Templates
Crash Course: Microsoft PowerPoint
This pre-packaged presentation contains everything you need to get end users up-to-speed fast about how to use Microsoft PowerPoint -- even if you don't consider yourself a public speaker. It includes...
-
Tools & Templates
TechRepublic's E-mail Usage Policy
Numerous studies indicate that personal e-mail use at work is a leading cause of lost productivity. In addition, personal e-mail use can introduce viruses and Trojan programs that aid hackers' attempt...
-
Tools & Templates
Data Retention Policy
The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's in...
-
eBooks
Best Practices for Maximizing Microsoft Access 2003
This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Access--even if you don't consider yourself a public speaker. It includes a...
-
Tools & Templates
Data Protection Policy
Your organization is subject to a mix of strict legal, ethical, and self-imposed mandates that protect all of the organization's information, records, and data from improper, inappropriate, illegal, a...
-
Tools & Templates
Portable storage policy
This policy provides guidelines for the regulated and secure usage of portable storage devices. Its goal is to protect the organization and its employees from internal and external threats and to prov...
-
Tools & Templates
Harness the Full Power of Internet Explorer
This pre-packaged presentation contains everything you need to instruct end users about how to the most out of the Internet and Internet Explorer--even if you don't consider yourself a public speaker...
-
Tools & Templates
Gaming Policy
Computer games--including those installed from floppy disks, USB "thumb" drives, CDs, DVDs, or accessed online or as part of any massive, multiplayer network--present numerous risks to an organization...
-
Tools & Templates
Harness the Full Power of Windows XP
The Harness the Full Power of Windows XP presentation is a prepackaged solution for basic Windows XP training. This pre-packaged presentation contains everything you need to instruct end users about h...
-
Tools & Templates
Crash Course: Microsoft Outlook Advanced Functionality
The Microsoft Outlook -- Advanced Functionality presentation provides a preformatted template for training end users to fully leverage Microsoft Outlook's capabilities. The accompanying Quick Referenc...
-
Tools & Templates
Crash Course: Microsoft PowerPoint
This pre-packaged presentation contains everything you need to get end users up-to-speed fast about how to use Microsoft PowerPoint -- even if you don't consider yourself a public speaker. It includes...
-
Tools & Templates
TechRepublic's E-mail Usage Policy
Numerous studies indicate that personal e-mail use at work is a leading cause of lost productivity. In addition, personal e-mail use can introduce viruses and Trojan programs that aid hackers' attempt...
-
Tools & Templates
Data Retention Policy
The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's in...
-
eBooks
Best Practices for Maximizing Microsoft Access 2003
This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Access--even if you don't consider yourself a public speaker. It includes a...
-
Tools & Templates
Data Protection Policy
Your organization is subject to a mix of strict legal, ethical, and self-imposed mandates that protect all of the organization's information, records, and data from improper, inappropriate, illegal, a...
-
Tools & Templates
Portable storage policy
This policy provides guidelines for the regulated and secure usage of portable storage devices. Its goal is to protect the organization and its employees from internal and external threats and to prov...
-
Tools & Templates
Harness the Full Power of Internet Explorer
This pre-packaged presentation contains everything you need to instruct end users about how to the most out of the Internet and Internet Explorer--even if you don't consider yourself a public speaker...
-
Tools & Templates
Gaming Policy
Computer games--including those installed from floppy disks, USB "thumb" drives, CDs, DVDs, or accessed online or as part of any massive, multiplayer network--present numerous risks to an organization...
-
Tools & Templates
Harness the Full Power of Windows XP
The Harness the Full Power of Windows XP presentation is a prepackaged solution for basic Windows XP training. This pre-packaged presentation contains everything you need to instruct end users about h...
-
Tools & Templates
Crash Course: Microsoft Outlook Advanced Functionality
The Microsoft Outlook -- Advanced Functionality presentation provides a preformatted template for training end users to fully leverage Microsoft Outlook's capabilities. The accompanying Quick Referenc...