Why security in DevOps is essential to software development


DevOps security: Are you ready to build it in?

Want security built into the DevOps process? It might not completely bulletproof an application, but experts say that any security added at the code level will pay dividends down the road.

NEW YORK -- Companies that have adopted DevOps practices to speed up application deployment cycles have an added challenge to consider: how to build in security to a rapid, iterative workflow.

Many companies struggle with the DevOps security process, largely because most applications developers and IT operations professionals have enough challenges to overcome as they learn to work together -- and rarely would either of those pros have expertise in cloud security.

Regulatory rules require data be protected the same whether it lives in servers on premises or in the cloud. The tools for both can be very different if you consider the concept of infrastructure as code, where the operations team isn't even dealing with a physical entity that's locked down at home.

Security today is typically handled with a manual test right before an application is released into production. It's not unusual for an app to be released with an unacceptable level of risk because it needs to get out the door. That's why experts believe security must be built in at the code level where it gets the visibility it needs, it's cheaper and easier to fix, and can improve overall quality.

Not everyone is completely sold on that idea, however, particularly if a company treats its DevOps team as jacks-of-all-trades. In fact, making security part of someone else's job could give it short shrift.

At e-commerce retailer ShopRunner, DevOps security is built into the process "but it requires such strong attention to detail, so I'd rather see it handled by one individual," said David Colon, manager of cloud engineering at ShopRunner.

Daniel Rosenbloom, a senior systems engineer at Logicworks, a New York-based managed services company, also emphasized the importance of making sure security gets full attention, as the slightest mistake can lead to a breach. "And people are not really that good at attention to detail, even with checklists," said Rosenbloom, who is an application automation expert as well as a former systems administrator.  

In reality, there are few security professionals that know code and operations, so adding DevOps security to the cycle really needs to be the responsibility of all employees, said Amy DeMartine, an analyst at Forrester Research, Cambridge, Mass. "If you can build it into the beginning, you have supercode to begin with," she said. "You may never be perfect, but you can mitigate the risk."

The advantage of making security part of the continuous delivery pipeline, of course, is to speed up app delivery. Leave it out and you'd get to the test phase and have to stop, said Kevin Keeler, senior cloud engineer at A&E Networks, which runs popular cable channels such as Lifetime and the History Channel. "But if you're trying to be agile, you don't want to do that," he said.

Keeler said his company will soon begin a transition to DevOps-style application development, and has considered using an automation tool, such as Chef, for configuration management and system hardening. Keeler checked out technology at the AWS Summit, held here earlier this month -- in particular API-driven tools to run scans, initially to support the company's customer-facing systems.

The number of enterprises building compliance into the DevOps tool chain is still relatively small but increasing, said George Spafford, an analyst at Gartner, the Stamford, Conn.-based consulting firm. "It can no longer be an afterthought," he said.

In a Gartner DevOps survey, out of 95 participants, 82% said they used DevOps methodologies in environments where they had to comply with at least one regulation, up from just 47% in 2015. Moreover, 59% of 78 respondents report that collaboration between DevOps teams and information security is an important strategy to address regulatory compliance requirements.

To create overall consistency, experts recommend using a configuration management tool -- such as Chef, Puppet, Ansible or Salt -- to centrally manage tools for tasks such as log management, threat analysis, network analysis, and intrusion detection. Release automation tools are also important to the task. Both help create an architecture where you can automate a repeatable process.

Most important, though, is to pick one and stick with it, Logicworks' Rosenbloom said. "All have pros and cons, but when a vulnerability hits, you need a single source of truth," he said.

Margie Semilof is editorial director for TechTarget's Data Center and Virtualization media group. Contact her at [email protected].

Next Steps

Security knits DevOps teams closer together

Don't let DevOps leave cloud security in the dust

How to approach the DevOps movement

Dig Deeper on Configuration Management and DevOps