DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. Recent Botnet Attacks Highlight Importance of Automated Testing to Harden Defenses

Recent Botnet Attacks Highlight Importance of Automated Testing to Harden Defenses

A chief goal of DevOps is to speed up application delivery, but security is too often been an afterthought, resulting in a bolt-on approach that leaves apps vulnerable.

Michael Joseph user avatar by
Michael Joseph
·
Oct. 31, 16 · Opinion
Like (0)
Save
Tweet
Share
5.28K Views

Join the DZone community and get the full member experience.

Join For Free

Massive Distributed Denial of Service (DDoS) attacks have become a weekly scourge, and with software now embedded in most consumer electronics (Is it too late to turn back from the Internet of Things? Asking for a friend.), the problem will likely only get worse.

Hackers have learned how to harness the items you use around the house to attack the services you rely upon. Just last week, one of the biggest and most sustained attacks affected services including Amazon, Spotify, Netflix, Reddit, and Twitter. The criminals did it by infecting our home devices, some 10 million of them, with a malware strain known as Mirai.

As internet security blogger Brian Krebs wrote, Mirai seeks out web-connected devices often protected by factory-default usernames and passwords, then directs those devices — DVRs, security cameras and such — to deluge target sites with trash traffic. Those sites are buried until they crater, affecting service.

The latest attack was directed toward Dyn, which provides routing services to the above-named megabrands. Service was crippled all along America’s East Coast.

“At this point, we know this was a sophisticated, highly distributed attack involving tens of millions of IP addresses. We are conducting a thorough root cause and forensic analysis and will report what we know in a responsible fashion,” said Kyle York, Dyn’s Chief Strategy Officer. “The nature and source of the attack are under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations.”

Krebs’ own site was hit in the same manner and potentially by the same crooks, a few weeks earlier.

What Companies Can Do About It

DDoS attacks are just one of the many security worries companies must confront in rolling out critical enterprise apps, a fact that is giving rise to a move toward what’s being called Rugged DevOps — injecting security scans and stack analysis earlier in DevOps workflow to mitigate the bad actors. Credit the buzzphrase, like so many others, to DevOps guru Gene Kim.

A chief goal of DevOps, of course, is to speed up application delivery, but security has too often been left as an afterthought, resulting in a bolt-on approach that leaves apps vulnerable to malware intrusions such as Mirai.

There are a whole set of cultural issues (standardized configurations, controlled access to production systems, process discipline, and so on) involved in Rugged DevOps, but effective tooling and automation are key components.

Increasingly, companies are looking to integrate tools such as Blazemeter, which integrates load and performance testing in the workflow. Continuous load testing can not only help harden apps against DDoS attacks but also ensure apps are robust enough for peak customer demand, a common problem for consumer-facing services.

Rugged DevOps also increasingly means adopting tools like CA Technologies’ DevOps suite, which incorporates Service Virtualization and release automation solutions that can help developers build more resilient software.

Four common-sense steps to consider in your company:

  1. Make security a priority sooner than later. Security qualifications testing (risk assessments, compliance checks) must be conducted early in development and continuously throughout.
  2. Engage security experts as true partners — not afterthoughts — on your DevOps team.
  3. Embed security tools in your general operations toolkit instead of segregating their use with the security team.
  4. Automate testing. It’s difficult to discard all manual testing, but automation is far more effective and allows more testing at a lower cost.

Today more than ever, organizations must handle security management just as they approach other aspects of delivering their services. Event simulations and tests against intrusion and DDoS attacks should be automated throughout the integration and delivery process.

security Service virtualization DevOps Botnet

Published at DZone with permission of Michael Joseph, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Automated Performance Testing With ArgoCD and Iter8
  • Top 5 Node.js REST API Frameworks
  • Problems of Cloud Cost Management: A Socio-Technical Analysis
  • Silver Bullet or False Panacea? 3 Questions for Data Contracts

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: