{"id":4547,"date":"2016-03-08T14:12:19","date_gmt":"2016-03-08T20:12:19","guid":{"rendered":"https:\/\/www.poweradmin.com\/blog\/?p=4547"},"modified":"2016-02-09T16:36:33","modified_gmt":"2016-02-09T22:36:33","slug":"making-security-an-integral-part-of-devops","status":"publish","type":"post","link":"https:\/\/www.poweradmin.com\/blog\/making-security-an-integral-part-of-devops\/","title":{"rendered":"Making Security an Integral Part of DevOps"},"content":{"rendered":"

In the rush to innovate, steal a jump on the competition, and bring new software products to market, enterprises have embraced the concept of DevOps: the peaceful co-habitation of Development and Operations, for more effective co-operation between the two.<\/span><\/p>\n

\u00a0<\/p>\n

But this competitive frenzy often overlooks a vital aspect: security.<\/span><\/p>\n

\u00a0<\/p>\n

In this article, we\u2019ll look at ways in which security may be integrated with DevOps procedures, to benefit the enterprise as a whole.\"devopssec_integration\"<\/a><\/span><\/p>\n

The Case for Integrated Security<\/span><\/h2>\n

\u00a0<\/span>The DevOps approach to developing software focuses on rapid application development, and the frequent roll-out of new releases \u2013 achieved through a harmonious mix of development, operations, support teams, and testing. New iterations of software may be prompted by feedback from users, configuration improvements, changing business requirements, or other criteria.<\/span><\/p>\n

\u00a0<\/p>\n

In any event, alterations are made and tested in a staging environment which closely resembles the production floor, and pushed out as quickly as possible. Testing is an automated process, carried out on small modules of the software, at unit and integration levels.<\/span><\/p>\n

\u00a0<\/p>\n

Yet traditionally, the testing of code for security issues and vulnerabilities has been sidelined \u2013 a process pretty much tacked on at the end (i.e. just before a new release is rolled out).<\/span><\/p>\n

\u00a0<\/p>\n

But if major security flaws are detected, they can either block a release altogether or (if ignored) lead to the roll-out of a version which has the potential to flop spectacularly in the wild, leading to user dissatisfaction, unchecked vulnerabilities, damage to a company\u2019s reputation and customer loyalty, possible legal actions or compliance issues, and subsequent loss of revenue.<\/span><\/p>\n

\u00a0<\/p>\n

A compelling argument for somehow working the security testing and monitoring element into the DevOps software development model, earlier on.<\/span><\/p>\n

How It Might Work<\/span><\/h2>\n

\u00a0<\/span>Existing DevOps policies already offer some clues. In many organisations, tools are employed to run static code analyses, rather than unit testing after each code commitment. Developers receive rapid feedback on code which is confirmed to perform its stated function \u2013 and to have potentially greater security. This occurs in the deployment phase.<\/span><\/p>\n

\u00a0<\/p>\n

Monitoring tools are employed during production \u2013 and among these, dynamic security tests could easily apply. Ideally, these should be automated, and available to developers on demand.<\/span><\/p>\n

No More Roll-backs?<\/span><\/h2>\n

\u00a0<\/span>In a \u201ctraditional\u201d software development environment, if flaws come to light during production, code can be returned to the lab, fixes applied, and a refreshed version is rolled back into the production environment. If this improved model also doesn\u2019t work, the process can be repeated. This might take days, weeks, or even months.<\/span><\/p>\n

\u00a0<\/p>\n

DevOps doesn\u2019t do \u201croll-back\u201d. Rolling forward is the key to rapid application development and deployment. If fixes are required, they can be applied to the \"devopssec_quality\"<\/a>next release, within the space of a few hours. In a similar fashion, security patches under an integrated system can be pushed out to production quickly, and with a minimum of fuss.<\/span><\/p>\n

Working with Compliance Issues<\/span><\/h2>\n

\u00a0<\/span>The situation becomes more complex in environments which are highly regulated, and have both internal and external requirements which must be met to ensure regulatory compliance. For such enterprises, monitoring (including security monitoring) is an ongoing process, which can involve significant paper trails and interaction with third-party consultants and agencies.<\/span><\/p>\n

\u00a0<\/p>\n

Yet it is feasible to adapt the DevOps model <\/a>to fit, in these circumstances. For example, it\u2019s possible to enter agreements with regulatory authorities to change the audit classification of infrastructure improvements brought about with automated tools \u2013 which would exempt such alterations from the approvals required for changes made by hand.<\/span><\/p>\n

The Role of Big Data<\/span><\/h2>\n

\u00a0<\/span>Monitoring, testing, configuration databases and log files can generate a ton of data, within a production environment. Aggregating this information in an easily accessible repository and applying Big Data analytics to it can yield insights which not only optimise the software development process, but also enhance its security.<\/span><\/p>\n

\u00a0<\/p>\n

In the Agile software development model (of which DevOps is often a part), small changes are made to the code, in very short time periods. With the potential to roll out new releases to software on an hourly basis, the burden of testing has to be accelerated to keep up.<\/span><\/p>\n

\u00a0<\/p>\n

Big Data analysis can reveal which software modules have the greatest potential for failure, or vulnerability to security issues. These insights can provide a road-map for targeted testing of only those aspects most likely to be of concern \u2013 significantly reducing each test cycle.<\/span><\/p>\n

\u00a0<\/p>\n

And results yielded from automated testing across banks of servers over longer periods can throw up valuable data which can be analysed to identify target areas for surgical testing, in the future.<\/span><\/p>\n

\u201cDevOpsSec\u201d, Anyone?\"devopssec_people\"<\/a><\/span><\/h2>\n

\u00a0<\/span>There\u2019s already talk of \u201cDevOpsSec<\/a>\u201d \u2013 the natural evolution of the DevOps philosophy, which includes Security as an integral part of the mix. Having security officers working alongside their colleagues from development and operations is seen as a hedge against the traditional conflict between advocates of rapid application development and security testing \u2013 the voice of caution which can bring the whole fast-track process to a shuddering halt.<\/span><\/p>\n

\u00a0<\/p>\n

As with DevOps itself (which didn\u2019t take off immediately), this will require a change of mindsets, procedures, and working practices, by all concerned.<\/span><\/p>\n

A Strategy for Integrated Security<\/span><\/h2>\n

\u00a0<\/span>1. Appoint a Security Officer, for each DevOps team. <\/b>He\/she will bring a security perspective <\/a>to each discussion the team has, and help in making security tests, monitoring and best practices a part of the development process, from the start.<\/span><\/p>\n

2. Encourage the various departments to learn from each other. <\/b>Testing and compliance are fine, but the Security Officer must also learn the ins and outs of the software development process. DevOps should also become aware of the mindset of the security operative. Shared experience and knowledge will lead to better collaboration, between team members.<\/span><\/p>\n

3. Allow some give-and-take in testing policies and metrics. <\/b>Large-scale security flaws which could be application killers should be given precedence over minor issues that could be patched, later. Security should also set up some measurable standards by which the vulnerability of released versions of the software may be readily established.<\/span><\/p>\n

4. Automate security testing, and include it early in the development process. <\/b>If a security flaw isn\u2019t spotted early, it may lead to nasty shocks, further down the line.<\/span><\/p>\n

5. Use Big Data analysis, to identify vulnerabilities, and optimise testing. <\/b>Analytics should reveal which types of code are most vulnerable, and should be tested more rigorously. Insights may also show which team members are throwing up the most security issues, or are not performing enough testing.<\/span><\/p>\n

\u00a0<\/p>\n

Ultimately, good security throughout the development cycle translates into good-quality products. So integrating security with the DevOps policy makes good business sense.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

In the rush to innovate, steal a jump on the competition, and bring new software products to market, enterprises have embraced the concept of DevOps: the peaceful co-habitation of Development and Operations, for more effective co-operation between the two. \u00a0 But this competitive frenzy often overlooks a vital aspect: security. \u00a0 In this article, we\u2019ll […]<\/p>\n","protected":false},"author":8,"featured_media":4549,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,13],"tags":[],"class_list":["post-4547","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-it","category-pc-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/comments?post=4547"}],"version-history":[{"count":5,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4547\/revisions"}],"predecessor-version":[{"id":4556,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/posts\/4547\/revisions\/4556"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media\/4549"}],"wp:attachment":[{"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/media?parent=4547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/categories?post=4547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.poweradmin.com\/blog\/wp-json\/wp\/v2\/tags?post=4547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}