BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
IT ops and development teams can sometimes seem like oil and water, but DevOps security can be the catalyst that brings them into harmony.
Whether it's conferring on a base operating system image for all application deployments, writing security-focused code tests or working to automate the code-testing process with security in mind, DevOps security requires interdisciplinary participation from multiple stakeholders in IT, and it can bring developer and IT operations teams together.
At Wayfair LLC, an e-commerce furniture company in Boston, security pros are fully integrated into development teams.
"A lot of companies run into the problem where security is brought in at the end -- we've tried to make sure to bring security in as early as we possibly can," said Chris McCoy, manager of the production systems team at Wayfair. "Security sits with us, so it's not hard for us to find them if you have questions."
One Boston-based energy management software firm also designed its app dev pipeline with security in mind.
"When we started building out our pipeline for the cloud, one of the things that we looked into was hardening from the start, rather than hardening as an afterthought," said Don Luchini, a senior software engineer at the company.
From the beginning, Luchini's company incorporated role-based access control with its Lightweight Directory Access Protocol authentication system so that credentials are not shared and not everyone has access to every system. The company also has a base template for Amazon Machine Images built with configuration management tool Chef that includes security features, such as authentication and domain name system resolution.
"It's something you need to have on every machine, but it's not specific to any service," Luchini said. This baseline image has meant contending with vulnerabilities such as Heartbleed required just one-line code changes from developers.
Traditionally, security teams are focused on performing penetration tests on the infrastructure, while developers address functional app security, according to Luchini, but those groups are starting to come together to work toward a common goal.
"We are the first contact in the event security finds something" in a penetration test, he said. "We've just kicked off meetings in the last month to talk about a higher degree of sharing between IT security and developers."
The goal of this collaboration is to produce a service-level agreement for time to resolve critical security vulnerabilities, he added.
DevOps pipelines fold in security
Another goal of IT security and DevOps collaboration is the automation and streamlining of security testing in the DevOps pipeline, which stands to make everyone's work a little easier, as well as secure the app and infrastructure.
Gary GruverIT consultant at Gruver Consulting
"Secrets management is something we want to be able to get to where it doesn't require human intervention," said Marc Priolo, configuration manager for Urban Science, a Detroit-based data analysis company specializing in the automotive industry. "That's something both sides are pushing, because for the ops side, it's just busy work for them ... and on the dev side, they have to make sure that they always flag and put in requests for this type of thing."
When fully automated, security becomes just another gate through which software passes on its way to deployment in production, according to Gary Gruver, an IT consultant and founder of Gruver Consulting LLC in Sun Valley, Idaho.
"It's a matter of not waiting until the end to give the developer security feedback," Gruver said. "You want to be giving the developer that feedback while they're writing the code."
Along these lines, developers should be challenged to test first, a practice called test-driven development, to bolster DevOps security, according to T.J. Saotome, vice president of information technology and portfolio management for Dartmouth Research & Consulting in Boston.
In test-driven development, Saotome explained, the developer writes the test environment first, and says, "In order for me to pass this test, how do I need to write code?" In this method, elimination of security vulnerabilities can be worked in as a requirement from the very start of app development.
While DevOps security has come far in recent years, organizations are only just starting to mature in their practices to incorporate it.
"It's somewhere between a quarter and half of the organizations I speak to who are doing it," Saotome said.
Why DevSecOps beats DevOps in the enterprise
How Target manages DevOps alongside older operating models
Security experts call for more DevOps