Many common problems encountered in ensuring secure application development and deployment stem from uncertainty about the respective responsibilities of developers and operations staff. Under pressure to build and deploy software as quickly as possible, it's easy for one side to think that the other has completed all of the necessary security tasks.
Yet this often isn't the case, leading to software that leaves organizations vulnerable to theft or attack, noted Rob Whiteley, chief marketing officer for NGINX. On May 2, at Interop ITX, Whiteley will discuss "The Role of DevOps in Application Security," examining the distinct responsibilities dev and ops teams need to follow to ensure seamless alignment on application security.
Whiteley believes that secure applications can be effectively created by fostering the right development culture. He offered four guidelines designed to ensure that developers will focus on building strong security attributes:
1. Enforce practices such as minimum privilege and minimum data. Restrict project access to portions that are relevant to each developer. Besides lowering the risk of introducing vulnerabilities and mistakes, access restriction will also help ensure that compliance and privacy standards are met.
2. Applications are increasingly a mix of custom and open source code, so be sure that developer teams are testing for many kinds of security vulnerabilities. Look for patches from open source projects and quickly integrate them into development and testing since, in many cases, this is the benefit of paying for open source software support. If the open source component is mission critical to the app, the cost of the support often pales in comparison to the cost of the downtime or breach that may occur from exploiting any underlying vulnerabilities.
3. Update the current incentive policy. Reward more than just standard metrics such as completing projects, checking in code, developing new features or fixing bugs. Instead, reward for code quality, a low number of vulnerabilities, and rapid fixes to discovered vulnerabilities.
4. Inject code analysis tools and automated penetration tests early in the development process to make it easier to find and fix vulnerabilities in real-time as code is being written.
Ops teams should always be reminded of the need for strong application security by encouraging close collaboration with security experts and establishing a set of guiding principles. "The operations side of the equation is a bit easier [than development] as there are fewer behavioral changes that need to be made," Whiteley says. "The bigger focus for ops teams is on process change and building security into the CI/CD (continuous integration/continuous delivery) workflow."
To ensure that security is baked into the Ops side of DevOps, Whiteley suggests that Ops personnel:
- Collaborate with the security team on business impact assessments (BIAs). Implement centralized policies around business criticality and risk. Make sure they are uniformly applied across diverse business units, development teams and analysis techniques.
- Work closely with the security team on data classification and management. Know who the applications will serve, the level of data sensitivity associated with each application and, finally, the appropriate data access controls. This is particularly critical with emerging privacy requirements, like GDPR.
- "Own" the layer of security tools closest to the apps, including critical operational technologies such as web application firewalls (WAF), intrusion prevention systems (IPS) and data loss prevention tools. Doing so will ensure up-to-date threat intelligence about applications.
- Secure traffic. It’s no longer sufficient to just secure the traffic leaving the organization. Traffic must now also be secured within the enterprise, especially as IT continues to move from legacy, monolithic applications to modern, microservices architectures. Traffic that once was contained in-house is now sent across the wire, often traversing data center and cloud boundaries. Also look for technology that can help throttle, encrypt and shape outgoing traffic to ensure it’s available.
Security breaches often cause downtime, leading to losses in revenue and reputation, Whiteley explained. "Plus, with increasing regulatory and privacy requirements, there are stiff financial and criminal penalties if applications and data are breached," he added.
Embracing DevOps security also gives organizations their best shot at keeping security budgets down, Whiteley observed. "Right now, many organizations enjoy a healthy security budget, given the risks of breaches," he noted. Yet the good times won’t last forever, he warned, “especially if the economy falls into in a downturn.”
[To learn more about the evolving role of DevOps in the enterprise, check out the DevOps track at Interop ITX 2018, scheduled for April 30 to May 4 at the Mirage in Las Vegas.]