sommai - Fotolia

New DevOps security tools portend market maturity

A plethora of new security tools aimed at DevOps shops suggests IT pros are getting their sea legs with DevOps and security in 2016.

Cast your net into the enterprise IT market today and you'll haul back a big catch of new DevOps security tools and features.

The arrival of these tools, along with a vendor merger around containers, indicate that a new wave of maturity around secure application deployment is headed for the ecosystem of IT shops, as industry watchers say tools tend to be a lagging indicator of where demand lies.

"There has to be some sort of best practice or thought process that leads to the development of tools," said TJ Saotome, vice president of information technology and portfolio management for Dartmouth Research & Consulting in Boston. "I see tons of [tools] every day … but we're still at the early stage of the journey."

Most advanced DevOps security tools are used today by development organizations, and some by IT operations groups, according to Saotome.

"I don't see that whole workflow, or the whole inclusion of sales, marketing and support organizations quite yet," he said. For that to happen at enterprises, existing mature best practices based on service management frameworks such as ITIL must first be mapped onto the DevOps process.

Many fish in the DevOps sea

Still, little by little, tools are beginning to fill in gaps between DevOps and security.

HashiCorp's Vault tool is one example of a product that doesn't necessarily boil the ocean and span the entire app delivery and feedback workflow, but nonetheless solves an important problem by automating the management of secrets such as passwords.

"When you're doing automation, it gets really tricky to work with passwords and tokens," said Dan MacDonald, architect and principal technical lead for a New York City agency that's working to adopt Agile development processes.

With Vault, individual microservices can get passwords without having to pass them in environmental variables as part of application code, which is "pretty much open to everybody," MacDonald explained. As a container starts up, a temporary token gets injected, which might be good for one use and have a time to live of five or 10 minutes. The container then uses the temporary token to contact Vault for the credentials it needs to use. If there's a problem or someone intercepts the token, it's only good for one use, so activity on the token can be tracked.

"It has a complete audit trail of access to the keys, which is very important," MacDonald said.

CoreOS Quay container security scanning tool and Docker's Security Scanning utility, released in May 2016, round out the picture for MacDonald's organization.

There has to be some sort of best practice or thought process that leads to the development of tools.
TJ SaotomeVP of information technology and portfolio management for Dartmouth Research & Consulting in Boston

When the application team builds images and puts them into the Docker Hub registry service, Quay runs an analysis of the binaries of everything that's installed to check for known threats. Docker Security Scanning sees all the changes to containers over time as new ones are spun up to replace the old ones -- if someone hacks into the system and adds a binary, it quickly becomes visible.

Other recently released DevOps tools bringing security features to market include Aqua Security -- formerly Scalock -- Aqua Container Security Platform and Jenkins 2.0.

An emerging company, XebiaLabs Inc., is working to incorporate security features into its continuous delivery orchestration tool. While some of its governance features remain in the pilot phase, "they're one of the first [vendors] to really try and bring it all together," according to Saotome.

Bolstering enterprise container security

Adding to the activity around DevOps security tools is the recent acquisition of enterprise Kubernetes player Kismatic Inc. by private platform as a service (PaaS) vendor Apprenda Inc., aiming to help enterprises make the leap into container orchestration while fitting in with existing corporate security practices.

"If you're an enterprise looking at [Google] Kubernetes or Docker, [Apache] Mesos, any of those, they are too deep-down in the stack for you to actually deliver value," said Joe Emison, CTO and founder of BuildFax Inc., based in Asheville, N.C., which provides real estate property data to other businesses such as insurance companies. "You would still need what Apprenda does, which is coding and configuration and the ability to instantiate my environment -- those problems don't get solved with Docker or Kubernetes."

However, while enterprises stand to spend a healthy amount of money on things like on-premises PaaS in the short term, in the long run "it's very hard to see anybody but very large enterprises doing it," he said.

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at [email protected] or follow @PariseauTT on Twitter.

Next Steps

IT teams must reconsider security in container-based deployments

Reasons to check out microservices architectures

A security expert changes his mind on DevOps

Dig Deeper on Deploying Microservices