To gather insights on the state of DevOps, we spoke with 22 executives at 19 companies implementing DevOps for themselves and helping clients to implement a DevOps methodology. We asked, "How are you addressing security with your DevOps methodology?" Here's what they told us:
Implement Early in the SDLC
- You must think about both security and compliance. Think about the applications in DevOps pipeline going into production. How will you protect PII, PHI, and mitigate the data touched in a non-production environment? Security cannot become an impediment to development. It needs to be integrated into DevOps on top of a thought-out architecture that may or may not include third parties.
- Companies are not typically thinking about security along with CI, CD, failure, and scaling up and down. It’s easier to determine the handoffs between development and operations. Containers are immutable. They provide a consistent build viewpoint (Docker CVE). Deployment is secure across development, testing, and production. We do code reviews from a stability, security, and educational standpoint. This allows us to do so on a continuous basis if following OWASP or other standards. It makes the argument of slowing down go away. Containers enable static and dynamic code analysis making CI/CD easier as we do this on a regular basis rather than doing it differently every time. It’s easier to engineer in security from the beginning.
- Follow an approach to security and ensure that developers are trained and know that security is their responsibility.
- Security is built into the platform which authenticates users and controls access.
- DevOps is the ultimate gatekeeper of the production environment and controls who and what gains access to it. We have implemented software to monitor the code for security risks. We are also looking to implement penetration testing in Q1 of 2018.
- The surface area is growing with IoT and microservices. Be consistent. Have one security approach for everything you roll out. Know your surface areas. Strive for consistency. Stay current with updates.
- A lot of problems with security don’t go away with loosely coupled architecture but you are able to draw boundaries with regards to security to help prevent denial of service attacks, reduce attack vectors and surfaces, payload, and exposing bugs. You can have a layered security model for the network, firewall, service identification, authentication, and approvals. Split application layer security from operational security. Separation of code you are working on. Aspect-oriented programming.
- We uniquely learn the security DNA for every version of an application to provide security that is precise enabling developers, DevOps, and SecOps to collaborate and fix code security issues in the DevOps process.
- One key control that we have introduced is real-time public visibility into who is accessing our production environment. Whenever a developer accesses our product systems, it is broadcast to a public Slack channel and they can then post (in this Slack channel) the ticket they are working on.
- We’re able to see the security of the applications from the visual monitoring. Able to see if someone hacks into the application or if a phishing attempt is made. Need to monitor stream data before decomposition and after recomposition to ensure nothing changed or was injected.
Here’s who we talked to:
- Gil Sever, CEO, Applitools
- Mike Tria, Head of Infrastructure, Atlassian
- John Trembley, CMO and Scott Harvey, V.P. Engineering, Atmosera
- Aruna Ravichandran, VP DevOps Products and Solutions Marketing, CA Technologies
- Flint Brenton, CEO, Collabnet
- Tom Hearn, Data Center Architect, Datalink
- Shehan Akmeemana, CTO, Data Dynamics
- Robert Reeves, Co-founder and CTO, Datical
- Anders Wallgren, CTO, Electric Cloud
- Job van der Voort, Vice President of Product, GitLab
- Ben Slater, Chief Product Officer, Instaclustr
- Ilya Pupko, Chief Architect, Jitterbit
- Tom Joyce, CEO, Pensa
- Stephanos Bacon, Chief of Product, Portfolio Strategy for Application Platforms, Red Hat
- Michael Mazyar, CTO, Samanage
- Eric Wahl, IT Director and John Joseph, Vice President of Marketing, Scribe Software
- Manish Gupta, CEO and Founder, ShiftLeft
- Martin Loewinger, Director of SaaS Operations and Jonathan Parrilla, DevOps Engineer, SmartBear
- Chris McFadden, V.P. Engineering and Operations, SparkPost