Failing to integrate security with DevOps? Do so at your own peril

The aftermath of the Sony hacks has lead major enterprises to realize that it is no longer feasible to only think of security as an afterthought. "The movements of government into the malware space has created a massive problem that every developer now needs to wrap their arms around, particularly in the cloud space, given the larger, potential attack surface, this space enjoys," said Rob Enderle, an independent technology analyst with the Enderle Group. 

Developers have to accept that every cloud offering is vulnerable to attacks at this level, and increase the focus on rapid identification of unauthorized access and any unexpected behavior surrounding their efforts.  Rapid and elegant failover that uses secure backup services  has become an increasing requirement. In addition, much tighter integration with security information and event management (SIEM) types of security services, and centralized automated patch delivery services becomes a far higher priority than it has been in the past. 

It is important for organizations to consider application security across the full software development lifecycle with the transition to DevOps practices. Business pressures are driving organizations to release new features at a faster pace.  But every new feature comes with the potential for adding an additional attack surface.

Keeping up with different rates of change

"The most visible and painful challenges are related to introducing a high rate-of-change of infrastructure and application code into environments that are traditionally prepared for quarterly or annual security review and auditing," said Tim Prendergast, CEO of Evident.io, a continuous cloud security technology for Amazon Web Services (AWS). This creates a massive disparity between the possibility of a vulnerability or security risk being introduced to the environment, and the ability of an organization to detect and respond to such threats.

Security and DevOps can be so powerful when aligned, yet so detrimental to the success of an organization when kept apart.

Tim Prendergast, CEO of Evident.io

It can become especially dangerous when security and DevOps teams inside the organization are adversarial rather than collaborative. Additionally, many DevOps teams are staffed more vigorously than security teams, which creates an overwhelming amount of scale and growth in infrastructure that security professionals just don't have the budget, tooling, or staffing to keep up with.

Environmentally, the cloud service providers have already delivered the tooling and capabilities to help integrate this new set of telemetry into DevOps tools. The challenge is really finding security technologies that can take advantage of the new capabilities and data available in these dynamic environments, and present such data to the professionals in an actionable and meaningful manner.

Integrate security into corporate culture

One good practice for keeping with the velocity of new threats lies in embedding security and DevOps together. Prendergast noted, "Security and DevOps can be so powerful when aligned, yet so detrimental to the success of an organization when kept apart."

It is important to include the right security stakeholders and decision makers in the design, architecture, and prototype phase discussions of a new project. This gives an opportunity for feedback to be received immediately as key decisions are made, and prevents redesigns later in the process due to security objections or requirements that were previously unconsidered.

It is also a good idea to encourage the integration of operational staff in the early discussions. Sophisticated monitoring, alerting, and resiliency practices go a long way towards making a  project materialize from drawing board vision to real-world infrastructure. This data can be used to drive the DevOps cycle even faster, ultimately resulting in better customer engagement and more successful projects.

Another good practice is to take time to clearly define the goals and expectations of the project . Knowing how the project will be used by all parties is critical to putting the right security frameworks in place. Important questions to ask at the beginning include:

1. Will this be a PCI compliant environment in the next 1 or 2 years?
2. Will we expose this to consumers, just our internal staff, or to other businesses or partners?
3. What is the sensitivity of the data in this application and the legal ramifications of loss, theft, or misuse?

Budgeting for mishaps

It is tempting for organizations to invest far more money in rolling out new features rather than addressing security vulnerabilities. But the sheer magnitude of the Sony hacks which brought the entertainment giant to its knees should be considered in budget negotiations for implementing a secure software development lifecycle. Sony budgeted $15 million to address investigation and remediation costs, and independent analysts estimate the total business cost could be several times higher.

"Investing in dynamic and static code analysis tools like Veracode can go a long way towards protecting your organization from coding errors, misused or unprotected functions, and other dangerous practices," said Prendergast. This builds a strong linguistic expertise internally as the team learns to adapt their programming technique to accommodate necessary security behaviors to protect the business, data, and users.

The lack of focus on building a security conscious development culture can be discouraging. "There are so few coordinated industry efforts happening right now that it can be disconcerting to security professionals when faced with this evolution in role and function," noted Prendergast.

The Cloud Security Alliance is one notable exception that is trying to really improve the industry through practice. It is actively engaging in discussions to bring together DevOps solutions, security innovators, and Cloud Service Providers in an effort to improve the security of all customers migrating to cloud environments.  Prendergast said, "The act of engaging in open discussion about innovation and challenges in this space has done more good than many years of other efforts."

How have you managed to coordinate between DevOps and security? Let us know.