BOSTON -- Just as IT ops pros settle in to their new role in a DevOps world, along comes an even newer concept -- secure DevOps.
Secure DevOps is a recent trend that has primarily involved collaboration between application developers and security experts so far -- the IT ops role in the new collaboration between app developers and security pros hasn't been fleshed out yet. But as developers and security professionals "shift security left" in the app delivery process, IT ops will need to respond accordingly, and preferably proactively.
IT pros must collaborate with the security team, as well as application developers. Following high-profile security breaches, such as the one that targeted credit bureau Equifax earlier this year and potentially exposed the sensitive financial data of 143 million Americans to hackers, businesses will increase pressure on all of IT to keep their companies out of the headlines.
"Every part of the organization should be thinking about security right now," said Stephen Sadowski, director and senior architect of core engineering at ICF Olson, a digital services subsidiary of U.S. government contractor ICF, based in Fairfax, Va. "The task for ops is to see security as a problem they need to help solve."
Secure DevOps and the need for speed
IT security has a reputation as an out-of-touch organization in an ivory tower that occasionally issues policy edicts that developers and ops must apply to the IT environment, Sadowski said. Developers and security have begun to change that relationship, and ops should follow suit.
To do this, ops may need to gain a seat at the table where developers and security pros have already begun a conversation.
Jack Frakerapplication security specialist
Ops must incorporate application security into their thought process, and they won't necessarily receive a formal invitation to do so, said Jack Fraker, an application security specialist for an insurance company on the East Coast that he declined to identify. He took the initiative to work with his company's developers -- there was no mandate from upper management to do so.
"Your resume has to read differently now," Fraker said. "You can't be a specialist in just one thing."
At ICF Olson, IT ops takes new approaches to infrastructure management to heighten its collaboration with security, as well as development, Sadowski said. The team uses Terraform and Chef infrastructure as code tools that can be tested and reviewed alongside application code, as well as Chef InSpec to check whether server configurations match security policies within the organization.
"We're continuing to increase the conversation between security and the other parts of the organization," Sadowski said, and it's increasingly a two-way conversation in which security offers more guidance on how to implement policies.
Secure DevOps means new infrastructure monitoring tools, tactics
Organizational changes are challenging enough, but IT ops pros must also adapt day-to-day tactics with infrastructure design and monitoring to keep up with secure DevOps long term.
There's at least one silver lining here for IT ops. This requirement might not mean there will be all-new tools to learn from scratch. Rather, there are new approaches to infrastructure security and monitoring that use the tools already familiar to IT ops pros.
At Fraker's company, security operations applies existing IT monitoring tools to detect security risks in IT architecture design and configuration, as it also monitors for malicious behavior on the network. He hopes that network operations and sysadmins will add their expertise about IT infrastructure best practices to that soon.
"Security operations has upgraded some of its monitoring tools a bit, but they already had a good tool set," Fraker said. "It's more about how they've changed their procedures around using it."
The secure DevOps patching problem
Security pros at DevSecCon agreed patching should fade into the past, in favor of immutable infrastructures that can be completely torn down and relaunched from scratch when there's a change, rather than rely on regular changes such as patches to servers in production.
"Containers and autoscaling will mean a change to the immutable infrastructure approach," said Stephen Sadowski, director and senior architect of core engineering at ICF Olson, a digital services subsidiary of U.S. government contractor ICF, based in Fairfax, Va. "That way you can say, 'If something doesn't pass a security test, just destroy it.'"
In the meantime, technical debt accrued by enterprises will mean finding new ways to juggle legacy applications that aren't suited to immutable infrastructures until those applications can be phased out. And as DevOps revs up the speed of application deployment and infrastructures grow, patches will need to be prioritized to stay ahead of critical threats without getting bogged down in infrastructure management, said Jack Fraker, an application security specialist for an insurance company on the East Coast that he declined to identify.
"There isn't time to patch everything, so there's a lot of movement to understand better exactly what we have in the environment, understand the ranking of risks and apply high-priority patches as required," he said.
There's still room for improvement with infrastructure monitoring tools for risk management purposes, said Kevin Greene, a program manager in the cybersecurity division of the U.S. Department of Homeland Security, following his keynote speech at the DevSecCon event here this week.
The Department of Homeland Security has spearheaded the Static Tool Analysis Modernization Project (STAMP) to provide a framework that analyzes security tools' strengths and weaknesses and forms a plan to modernize them.
There are many vendors in IT security monitoring today, but Greene hasn't seen the advanced capabilities needed to deal with emerging threats, he said. That includes threat modeling that anticipates potential attacks on infrastructure vulnerabilities, to supplement static analysis tools and make IT security more proactive. To that end, Homeland Security also established the Application Security Threat Attack Modeling (ASTAM) program, which has tapped vendor Secure Decisions to lead development of an open source tool to strengthen IT defenses against web app attacks.
Meanwhile, IT ops people must align monitoring solutions to DevOps, which is changing infrastructure faster and faster, Greene said. "Ops needs a grasp on those changes so they know what to monitor," he said.
Datadog acquires Logmatic.io for analytics and automation
Prevent security flaws by treating servers as cattle
Windows catches up to Linux DevOps tools