Using DevOps To Upgrade Application Security

The techniques of the DevOps movement designed to bring developers and IT operations into closer alignment for more agility can also be a huge boon for app sec, RSA panelists say

SAN FRANCISCO -- RSA CONFERENCE 2013 -- Traditionally, the world of IT app development and deployment has pitted developers and IT operations staff in two corners of the proverbial ring, making them what some experts call natural enemies, with little cooperation and a lot of bureaucratic processing in the march toward pushing production code live. Its an unproductive cycle that has spurred the countercultural DevOps movement.
The idea behind DevOps methodology is to eliminate clashes between the two groups and implement faster, more bite-size code deploys at more frequent intervals. The volume and speed of deploy rates, plus the shift in engineering culture precipitated by DevOps, could scare some security pros. But a panel at the RSA Conference last week showed how the paradigm shift could actually provide a huge step forward for security teams seeking to insert themselves into the development process for a more rugged enterprise application infrastructure.
What I find so amazing about studying DevOps organizations is that they have a culture that embraces security, said Nick Galbreath, vice president of engineering for IPONWEB. He described DevOps as a much more healthy way of developing code within an enterprise. The great thing is that all of the tools that you use to enable security layers right on top of DevOps. Having these tools that developers in operations use together to make things to go faster is just a great way for you to get your [security] job done.
According to Gene Kim, founder and former CEO of Tripwire and author of The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win, DevOps breaks the core point of conflict between developers and operations staff.
What you get is phenomenal feature deploy rates as well as world-class stability and security, he said, pointing to organizations like Facebook and Netflix that can see as many as 23,000 deployments in a day, but stressing that organizations dont necessarily have to work at that pace to take advantage of DevOps.
One of the big security worries that crops up with such a deployment schedule is the pressure it puts on change management, code review, and other aspects of security scrutiny, he said.
Any place that you have manual review, you just cant do that 1,000 times a day, Kim said. Those manual reviews have to be turned into some sort of automated tests that get put into the continuous deployment pipeline.
However, this dovetails nicely into one of the four fundamentals that panelist David Mortman, chief security architect for enStratus, identified as critical to implementing DevOps methodology: culture, automation, measurement, and sharing.
For me, DevOps is about doing your job right, he said. Theres a lot about speed and things like that, but for me its about working effectively with other team members.
Automation plays a huge part, and Mortman said that security can easily piggyback on the automated testing that DevOps naturally encourages.
If you watch a lot of DevOps talks on the dev side, they talk about automating all of your unit tests and functional tests and integration tests, he said. So one of the things Im doing is working with one of our engineers to add security unit tests and functional tests to the code theyre already writing. So that way, every time someone gets code properly committed, it gets tested for all of these things [and] if someone broke something or potentially broke something ... you find out immediately.
Its a principal that Twitter uses in its stack code analysis, Kim told the crowd.
Basically, every time a developer hits save, it runs static code analysis, and theyll get an email that said you just wrote a piece of code that creates this vulnerability, and heres how you fix it, he said. Its not on code commit -- its on save. That is integrating security in the daily work of developers and operations.
DevOps also affords organizations more opportunities to fix issues quickly, said Josh Corman, director of security intelligence for Akamai Technologies.
The ability to do smaller batch sizes and more of them with more confidence makes it so you dont wait six months to get your security patch in, he said. Youre no longer afraid of patching because you can always unpatch or roll back.
More importantly, the faster speed of deployment and the automation makes it easier to build in a sense of immediacy with the security feedback offered to developers, greatly increasing the opportunity for not just fast fixes, but also better developer education. According to Galbreath, the traditional development cycle can have the security team pointing out problems to a developer who has long since moved past the relevant project.
Now they have to go find the developer, who honestly doesnt remember anything about what happened, he said. Its just an annoyance. The fast deploy cycles really change things: You go and say, That deploy you did yesterday, theres a problem with it, and they say, OK, let me get in the queue and Ill fix that later today.
The other big plus of frequent but smaller code deployments is the subsequent reduction of complexity within each deployment, Mortman said, who explains that studies have shown that increasing code complexity can have an exponential affect on security and stability.
When you have less code, you have less complexity and you have fewer security bugs, he said.
According to Corman, organizations dont even necessarily need to transform their shops with DevOps methods -- even if legacy deployments get in the way of across the board changes. Im not saying you can wave a magic wand and fix all of the legacy stuff, but you dont have to make new stuff as badly as we made the old stuff, he said. Even if youre not going to do DevOps, the lessons weve learned are equally applicable to our other stuff. In some of these cases, the way a security person got a seat at the table is by introducing DevOps to their development group.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Using DevOps To Upgrade Application Security