Rawpixel - Fotolia

Create habitual IT security practices for the full stack

IT security should be so ingrained in developers and infrastructure managers it becomes second nature, rather than a stopping point along the flow of application lifecycles.

NEW YORK -- As DevOps and IT innovation sprout within enterprises, so will the frequency of and damage created by security events -- and IT pros need the right IT security practices to stay out of the weeds.

Ask any business leader what keeps them up at night, and the answer will likely be security. But rather than thinking about security constantly, IT and development teams should take the opposite approach -- make IT security practices second nature.

"My biggest concern is security," said Chris Moyer, vice president of technology for ACI Information Group. "How do we know that we're not screwing something up when we're moving so fast?"

"At least once a month, we hear about some major organization that has had a security breach," echoed Kelly Lum, security engineer at New York-based Tumblr. "And, a lot of times, they don't realize it."

Moyer -- who is also a TechTarget contributor -- and Lum pointed to the biggest security fear: not catching the issue right away.

"Monitoring and detecting shouldn't take six months when development only takes two weeks," Moyer said. "Why aren't we moving that fast on production tracking?"

Securing IT systems is a constant battle due to the immeasurable number of small, individual pieces -- which are oft-changing -- that make up the complex whole of an IT estate, Lum said.

She suggested a security approach founded on education and culture change in a keynote presentation at Velocity last week. When IT security practices are built into the whole stack -- the technology in use, programs developers write and the hardware underpinning apps -- everyone gets in the habit of creating secure IT products and infrastructure.

Application-based security comes down to the developers writing code, but "developers will always be focused on features that your users will enjoy," because, after all, that is their primary job, Lum said. Consider using tools to automatically scan for obviously weak or compromised code and security experts to guide best practices.

Dedicated security isn't an easy sell. Many employers want to see the IT admin wear multiple hats, and the days of hiring dedicated staff for siloed IT roles, such as security or storage, are fading, said Brian Kirsch, IT architect and instructor at Milwaukee Area Technical College in Wisconsin.

Organizations that do have security experts should count on them to act as a resource, not a roadblock. "You can lock something down, but it has to still be operational," said Kirsch, who's also a TechTarget contributor. Instead of, as Lum put it, telling the developers "their baby is ugly," security experts should engage with the IT team to encourage safe, healthy coding practices and only lay down the law when necessary.

If you don't have a security staff, don't despair. Even bigger than the DevOps trend, Kirsch said, is the convergence of infrastructure folks into one multidisciplinary person: the IT administrator, security and operations engineer, who liaisons with colleagues outside of infrastructure to enforce IT security practices.

Code analysis tools remove some of the daily security burden as well. No human wants to read and analyze every line of code, and even skilled experts can overlook a potential problem. Tumblr uses a tool, called Robocop, to enforce smart security decisions. For example, if the development team has a library of safe functions to use for a database, and a developer decides not to use them, Robocop will catch it, Lum explained.

Even with a security-minded approach and dedicated experts, there will be incidents where the code goes out and issues are discovered after the fact -- Lum recommended accepting this eventuality, as well as instituting bug bounties and easy reporting for users to help the team improve the application. Another practice is to create run books, so you know how to respond efficiently and correctly.

After a security incident or trend of potential problems, ask ,"Where are the developers losing the [secure] path?" Lum said. "You'll have a lot of people saying, 'Buy this [tool], and you'll never have to worry again,'" she added. But be wary: Tools are no replacement for vigilant defensive practices.

While you should advocate for a defensive IT deployment and minimize risk, don't create a culture of overall paranoia, fear and loathing, Lum warned. When everything is a security issue, nothing is a security issue.

Meredith Courtemanche is a senior site editor in TechTarget's Data Center and Virtualization group, with sites including SearchITOperations, SearchWindowsServer and SearchExchange. Find her work @DataCenterTT, or email her at [email protected].

Next Steps

Learn how to retain your organization's talented security staff

Creating a good IT security policy

Get help crafting cloud security controls

Dig Deeper on Application Rollout Planning and Problems