Introducing DevSecOps - combining speed and security
Long accustomed to being the gatekeepers, security professionals are now mucking in and getting their hands dirty
Every major organisation is now a software business. It is much quicker and cheaper to tweak code than it is to upgrade physical infrastructure, and as speed of response and business agility become increasingly important factors across all sectors software is now the differentiator between otherwise similar organisations. If your software can improve the experience of customers and employees, if it looks better or runs quicker on standard hardware, if it allows for new functionality that your competitors cannot match then you've stolen a march.
As a result, there has been a determined effort to professionalise, standardise, automate and speed up the production of software so that it is treated like any other time-sensitive piece of the architecture. DevOps - bringing together the once-separate disciplines of developing, testing and deploying software - is the practical realisation of these ideas.
At its heart, DevOps is a cultural perspective on how everyone with a stake in the production of software should be engaged in its continuous improvement. In a software-defined world, it asks how do we get something into production quickly and once it's deployed how do we know we've come up with the best answer, and how quickly can we apply improvements and updates?
It is the principle of cooperation and collaboration to reach shared objectives. While this sounds like common sense, the traditional structure of IT in business organisations has often been oppositional, with developers and operations actively encouraged to find fault in each other's work. And at the end of the line sit the security guys with their tests and their scanners and their clipboards.
Current attitudes
In many ways DevOps is nothing new. It is really a subset of agile development and has a lot in common with Lean and other continuous improvement methodologies in that it emphasises making small changes and getting feedback quickly. Computing polled more than 100 IT professionals about the approaches they are taking to speed up the production of the all-important code (figure 1).
More than half of the respondents said they were moving or had moved to the agile methodology to speed up delivery, with 23 per cent naming DevOps specifically.
Cloud, in its IaaS and PaaS guises, is another game changer, allowing test deployments in whatever environments are required without having to provision the infrastructure and bring in specialist skills. Almost half the respondents said they were making more use of cloud in their efforts to speed up development.
From DevOps to DevSecOps
In many development projects - indeed in technology projects in general - there is a general focus on functionality and usability, with security considerations tacked on at the end. Frequently, security and compliance teams are only called to pronounce on a piece of software once it is ready for release.
This can lead to problems and delays not only because security and compliance testing can be lengthy, particularly in the case of a large application, but also because the developers' handiwork may need to be unpicked in order to make the code sufficiently secure or compliant, which could take a very long time depending on how many other features the errant code underpins.
The good news is that over half of the respondents in the Computing study bring in security at the planning stage (figure 2). It is certainly important that security is included in the specifications. What this chart does not show, however, is how much active involvement the security team has at each stage and for many organisations the most intense activity is likely to occur at quality assurance (QA) testing and just before the release.
Worryingly, 23 per cent of respondents said that security professionals are not involved in the process at all. Either the software they develop comes nowhere near handling sensitive or personal data, offers no chance that a vulnerability could provide a way in for an attacker and has minimal interactions with any other systems, or they are taking a big chance.
Introducing DevSecOps - combining speed and security
Long accustomed to being the gatekeepers, security professionals are now mucking in and getting their hands dirty
So how does DevOps compare with traditional ITIL software production methodologies when it comes to security? The consensus was that it should improve security through a combination of automation, the earlier involvement of security specialists and increased rapidity in dealing with failures. However, a minority worried that the emphasis on speed and the newness of the DevOps methodology could introduce holes (figure 3).
Just as DevOps seeks to represent infrastructure as code so that its operation can be standardised, automated and pulled into the software development pipeline, so DevSecOps (the term was coined in 2012 by Neil MacDonald of Gartner) seeks to do the same with security requirements.
Security standards such as ISO 27001 together with more bespoke individual compliance requirements are represented as code or configuration files that may be applied to the software in stages as it moves through the continuous integration or continuous delivery pipeline to production. This means that any changes in policy can be automatically applied and tested as the software proceeds.
Moreover, as much development now happens in and for the cloud where scalability is a watchword, implementing security as code makes it easier to ensure that the requirements continue to be met as the deployment model changes.
In terms of team structure, security professionals work alongside their colleagues in development, QA and operations rather than as remote gatekeepers.
Common challenges to overcome in DevSecOps include obtaining visibility into what exactly is running in the environment and what class of data is being processed, and because this is a dynamic process, keeping up with changes as they happen.
Then there is making sure that patches and configuration tweaks are applied consistently, which may require a rethink of the underlying infrastructure. If this is not sufficiently homogenous, for example if multiple vendors or hypervisors are present, then ensuring no holes are left is very difficult. With more test and development activities moving to the cloud, problems due to inconsistent platforms are becoming less of an issue, however.
In order to achieve rapid feedback (one of the main goals of DevOps) each change to the security configuration needs to be tested. This means getting the QA team fully on board to help with the creation of automated tests that quickly signal when something is wrong so the process can be rolled back and corrected easily.
Changing roles
As part of the change in their role that all this implies, security professionals need to look at how they can best accommodate rapid change. Some may enjoy the role of ‘policeman' and may not appreciate having to muck in at all stages.
They may also need to drop the holy grail of ‘perfect security'. Perfect security is an impossibility anyway, but in the stepwise, rapid-feedback model embodied by DevOps pursuing such a vision will definitely slow things down. Instead, the idea is to test fast and test often and act quickly on the results so that any vulnerabilities are only present for the shortest possible time.
Ultimately, as an extension to DevOps, DevSecOps is about changing the way teams work, educating developers to consider security at the initial stages, as well as throughout the development process; managing the implementation and compliance of different security policies as dictated by different customers; and integrating the security testing requirements into the development pipeline without adversely affecting speed or flexibility.
@_JohnLeonard
• To learn more about DevSecOps, make sure you sign up for the Computing Enterprise Security and Risk Management conference in November. Attendance is free for qualifying IT professionals. To register, go to: http://www.computingsummit.com/security.