Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How Leaders Are Pursuing DevOps Securely

DZone's Guide to

How Leaders Are Pursuing DevOps Securely

The keys to addressing security with a DevOps methodology are implementing early in the SDLC, continuity, and automation.

· DevOps Zone
Free Resource

Learn more about how CareerBuilder was able to resolve customer issues 5x faster by using Scalyr, the fastest log management tool on the market. 

To gather insights on the state of DevOps, we spoke with 22 executives at 19 companies implementing DevOps for themselves and helping clients to implement a DevOps methodology. We asked, "How are you addressing security with your DevOps methodology?" Here's what they told us:

Implement Early in the SDLC

  • DevOps is about delivering better code faster with agility and quality. Part of quality is security. Leaving security until the end hinders speedy development. You must shift left. CA bought Veracode to bring security into the SDLC. We provide static code analysis from the IDE, developer sandboxes at code check-ins. Security testing best practices. Think about how to infuse security practices and processes whenever you are testing. 
  • Involve security in the DevOps process and figure out how to automate image and code scanning. One of the points that I made about security in my Red Hat Forum keynotes recently was the importance of training developers and development teams in writing secure software, and how this has to be an ongoing effort because technology changes, new exploits are discovered, and people leave and join the team. 
  • Implement security early and often. Security begins on the frontend. If the DBA’s find an issue they must stop the sprint and go back and fix. Instead of a human at the end, enforce standards on the frontend. Break the build if the database fails to meet the standards. Perform unit testing for database changes. Identify the person responsible for breaking the build so that everyone involved that more responsibility early in the process. 
  • You must think about both security and compliance. Think about the applications in DevOps pipeline going into production. How will you protect PII, PHI, and mitigate the data touched in a non-production environment? Security cannot become an impediment to development. It needs to be integrated into DevOps on top of a thought-out architecture that may or may not include third parties. 
  • Security is built into the products when they are designed. Security models and methodologies are part of the original plan. As you go through the scrum checkpoints, security is well represented. Security testing is the number one test.

Continuity

  • Companies are not typically thinking about security along with CI, CD, failure, and scaling up and down. It’s easier to determine the handoffs between development and operations. Containers are immutable. They provide a consistent build viewpoint (Docker CVE). Deployment is secure across development, testing, and production. We do code reviews from a stability, security, and educational standpoint. This allows us to do so on a continuous basis if following OWASP or other standards. It makes the argument of slowing down go away. Containers enable static and dynamic code analysis making CI/CD easier as we do this on a regular basis rather than doing it differently every time. It’s easier to engineer in security from the beginning. 
  • Ensure a continuous process for changes in controls for application development. Change from event specific to continuous process development. Have the right tools for continuous testing automatically setting up labs. 
  • Follow an approach to security and ensure that developers are trained and know that security is their responsibility.
  • Security is built into the platform which authenticates users and controls access.
  • DevOps is the ultimate gatekeeper of the production environment and controls who and what gains access to it. We have implemented software to monitor the code for security risks. We are also looking to implement penetration testing in Q1 of 2018.
  • The surface area is growing with IoT and microservices. Be consistent. Have one security approach for everything you roll out. Know your surface areas. Strive for consistency. Stay current with updates.

Automation

  • Security is integrated or layered with training, coding standards, testing, code is peer-reviewed. Static code analysis is linked to CI. On top of that are period penetration tests conducted by a third-party vendor. 
  • Automate as much as you can include penetration tests and static code analysis before production. Third party for manual penetration testing.
  • Need automation to manage security. We use tooling that sends an email when there’s a vulnerability.
  • Implement security as part of the automation. Check versions of dependencies for known vulnerabilities. This is easy to automate. Automated security is crucial.

Other

  • A lot of problems with security don’t go away with loosely coupled architecture but you are able to draw boundaries with regards to security to help prevent denial of service attacks, reduce attack vectors and surfaces, payload, and exposing bugs. You can have a layered security model for the network, firewall, service identification, authentication, and approvals. Split application layer security from operational security. Separation of code you are working on. Aspect-oriented programming.
  • We uniquely learn the security DNA for every version of an application to provide security that is precise enabling developers, DevOps, and SecOps to collaborate and fix code security issues in the DevOps process.
  • One key control that we have introduced is real-time public visibility into who is accessing our production environment. Whenever a developer accesses our product systems, it is broadcast to a public Slack channel and they can then post (in this Slack channel) the ticket they are working on.
  • We’re able to see the security of the applications from the visual monitoring. Able to see if someone hacks into the application or if a phishing attempt is made. Need to monitor stream data before decomposition and after recomposition to ensure nothing changed or was injected.

Here’s who we talked to:

  • Gil Sever, CEO, Applitools
  • Mike Tria, Head of Infrastructure, Atlassian
  • John Trembley, CMO and Scott Harvey, V.P. Engineering, Atmosera
  • Aruna Ravichandran, VP DevOps Products and Solutions Marketing, CA Technologies
  • Flint Brenton, CEO, Collabnet
  • Tom Hearn, Data Center Architect, Datalink
  • Shehan Akmeemana, CTO, Data Dynamics
  • Robert Reeves, Co-founder and CTO, Datical
  • Anders Wallgren, CTO, Electric Cloud
  • Job van der Voort, Vice President of Product, GitLab
  • Ben Slater, Chief Product Officer, Instaclustr
  • Ilya Pupko, Chief Architect, Jitterbit
  • Tom Joyce, CEO, Pensa
  • Stephanos Bacon, Chief of Product, Portfolio Strategy for Application Platforms, Red Hat
  • Michael Mazyar, CTO, Samanage
  • Eric Wahl, IT Director and John Joseph, Vice President of Marketing, Scribe Software
  • Manish Gupta, CEO and Founder, ShiftLeft
  • Martin Loewinger, Director of SaaS Operations and Jonathan Parrilla, DevOps Engineer, SmartBear
  • Chris McFadden, V.P. Engineering and Operations, SparkPost

Find out more about how Scalyr built a proprietary database that does not use text indexing for their log management tool.

Topics:
devops security ,security ,devops

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}