Define DevOps' Role in Application Security - InformationWeek
IoT
IoT
DevOps
News
4/2/2018
09:00 AM
50%
50%

Define DevOps' Role in Application Security

DevOps teams are challenged by hackers whose tools and practices have grown increasingly sophisticated. Here's how the good guys can gain the upper hand.

Many common problems encountered in ensuring secure application development and deployment stem from uncertainty about the respective responsibilities of developers and operations staff. Under pressure to build and deploy software as quickly as possible, it's easy for one side to think that the other has completed all of the necessary security tasks.

Yet this often isn't the case, leading to software that leaves organizations vulnerable to theft or attack, noted Rob Whiteley, chief marketing officer for NGINX. On May 2, at Interop ITX, Whiteley will discuss "The Role of DevOps in Application Security," examining the distinct responsibilities dev and ops teams need to follow to ensure seamless alignment on application security.

Supporting developers

Whiteley believes that secure applications can be effectively created by fostering the right development culture. He offered four guidelines designed to ensure that developers will focus on building strong security attributes:

1. Enforce practices such as minimum privilege and minimum data. Restrict project access to portions that are relevant to each developer. Besides lowering the risk of introducing vulnerabilities and mistakes, access restriction will also help ensure that compliance and privacy standards are met.

2. Applications are increasingly a mix of custom and open source code, so be sure that developer teams are testing for many kinds of security vulnerabilities. Look for patches from open source projects and quickly integrate them into development and testing since, in many cases, this is the benefit of paying for open source software support. If the open source component is mission critical to the app, the cost of the support often pales in comparison to the cost of the downtime or breach that may occur from exploiting any underlying vulnerabilities.

3. Update the current incentive policy. Reward more than just standard metrics such as completing projects, checking in code, developing new features or fixing bugs. Instead, reward for code quality, a low number of vulnerabilities, and rapid fixes to discovered vulnerabilities.

4. Inject code analysis tools and automated penetration tests early in the development process to make it easier to find and fix vulnerabilities in real-time as code is being written.

Image: Pixabay
Image: Pixabay

Encouraging ops

Ops teams should always be reminded of the need for strong application security by encouraging close collaboration with security experts and establishing a set of guiding principles. "The operations side of the equation is a bit easier [than development] as there are fewer behavioral changes that need to be made," Whiteley says. "The bigger focus for ops teams is on process change and building security into the CI/CD (continuous integration/continuous delivery) workflow."

To ensure that security is baked into the Ops side of DevOps, Whiteley suggests that Ops personnel:

  • Collaborate with the security team on business impact assessments (BIAs). Implement centralized policies around business criticality and risk. Make sure they are uniformly applied across diverse business units, development teams and analysis techniques.
  • Work closely with the security team on data classification and management. Know who the applications will serve, the level of data sensitivity associated with each application and, finally, the appropriate data access controls. This is particularly critical with emerging privacy requirements, like GDPR.
  • "Own" the layer of security tools closest to the apps, including critical operational technologies such as web application firewalls (WAF), intrusion prevention systems (IPS) and data loss prevention tools. Doing so will ensure up-to-date threat intelligence about applications.
  • Secure traffic. It’s no longer sufficient to just secure the traffic leaving the organization. Traffic must now also be secured within the enterprise, especially as IT continues to move from legacy, monolithic applications to modern, microservices architectures. Traffic that once was contained in-house is now sent across the wire, often traversing data center and cloud boundaries. Also look for technology that can help throttle, encrypt and shape outgoing traffic to ensure it’s available.

Multiple benefits

Security breaches often cause downtime, leading to losses in revenue and reputation, Whiteley explained. "Plus, with increasing regulatory and privacy requirements, there are stiff financial and criminal penalties if applications and data are breached," he added.

Embracing DevOps security also gives organizations their best shot at keeping security budgets down, Whiteley observed. "Right now, many organizations enjoy a healthy security budget, given the risks of breaches," he noted. Yet the good times won’t last forever, he warned, “especially if the economy falls into in a downturn.”

[To learn more about the evolving role of DevOps in the enterprise, check out the DevOps track at Interop ITX 2018, scheduled for April 30 to May 4 at the Mirage in Las Vegas.]

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll