Define DevOps' Role in Application Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:00 AM
Connect Directly

Define DevOps' Role in Application Security

DevOps teams are challenged by hackers whose tools and practices have grown increasingly sophisticated. Here's how the good guys can gain the upper hand.

Many common problems encountered in ensuring secure application development and deployment stem from uncertainty about the respective responsibilities of developers and operations staff. Under pressure to build and deploy software as quickly as possible, it's easy for one side to think that the other has completed all of the necessary security tasks.

Yet this often isn't the case, leading to software that leaves organizations vulnerable to theft or attack, noted Rob Whiteley, chief marketing officer for NGINX. On May 2, at Interop ITX, Whiteley will discuss "The Role of DevOps in Application Security," examining the distinct responsibilities dev and ops teams need to follow to ensure seamless alignment on application security.

Supporting developers

Whiteley believes that secure applications can be effectively created by fostering the right development culture. He offered four guidelines designed to ensure that developers will focus on building strong security attributes:

1. Enforce practices such as minimum privilege and minimum data. Restrict project access to portions that are relevant to each developer. Besides lowering the risk of introducing vulnerabilities and mistakes, access restriction will also help ensure that compliance and privacy standards are met.

2. Applications are increasingly a mix of custom and open source code, so be sure that developer teams are testing for many kinds of security vulnerabilities. Look for patches from open source projects and quickly integrate them into development and testing since, in many cases, this is the benefit of paying for open source software support. If the open source component is mission critical to the app, the cost of the support often pales in comparison to the cost of the downtime or breach that may occur from exploiting any underlying vulnerabilities.

3. Update the current incentive policy. Reward more than just standard metrics such as completing projects, checking in code, developing new features or fixing bugs. Instead, reward for code quality, a low number of vulnerabilities, and rapid fixes to discovered vulnerabilities.

4. Inject code analysis tools and automated penetration tests early in the development process to make it easier to find and fix vulnerabilities in real-time as code is being written.

Image: Pixabay
Image: Pixabay

Encouraging ops

Ops teams should always be reminded of the need for strong application security by encouraging close collaboration with security experts and establishing a set of guiding principles. "The operations side of the equation is a bit easier [than development] as there are fewer behavioral changes that need to be made," Whiteley says. "The bigger focus for ops teams is on process change and building security into the CI/CD (continuous integration/continuous delivery) workflow."

To ensure that security is baked into the Ops side of DevOps, Whiteley suggests that Ops personnel:

  • Collaborate with the security team on business impact assessments (BIAs). Implement centralized policies around business criticality and risk. Make sure they are uniformly applied across diverse business units, development teams and analysis techniques.
  • Work closely with the security team on data classification and management. Know who the applications will serve, the level of data sensitivity associated with each application and, finally, the appropriate data access controls. This is particularly critical with emerging privacy requirements, like GDPR.
  • "Own" the layer of security tools closest to the apps, including critical operational technologies such as web application firewalls (WAF), intrusion prevention systems (IPS) and data loss prevention tools. Doing so will ensure up-to-date threat intelligence about applications.
  • Secure traffic. It’s no longer sufficient to just secure the traffic leaving the organization. Traffic must now also be secured within the enterprise, especially as IT continues to move from legacy, monolithic applications to modern, microservices architectures. Traffic that once was contained in-house is now sent across the wire, often traversing data center and cloud boundaries. Also look for technology that can help throttle, encrypt and shape outgoing traffic to ensure it’s available.

Multiple benefits

Security breaches often cause downtime, leading to losses in revenue and reputation, Whiteley explained. "Plus, with increasing regulatory and privacy requirements, there are stiff financial and criminal penalties if applications and data are breached," he added.

Embracing DevOps security also gives organizations their best shot at keeping security budgets down, Whiteley observed. "Right now, many organizations enjoy a healthy security budget, given the risks of breaches," he noted. Yet the good times won’t last forever, he warned, “especially if the economy falls into in a downturn.”

[To learn more about the evolving role of DevOps in the enterprise, check out the DevOps track at Interop ITX 2018, scheduled for April 30 to May 4 at the Mirage in Las Vegas.]

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll