Many common problems encountered in ensuring secure application development and deployment stem from uncertainty about the respective responsibilities of developers and operations staff. Under pressure to build and deploy software as quickly as possible, it's easy for one side to think that the other has completed all of the necessary security tasks.
Yet this often isn't the case, leading to software that leaves organizations vulnerable to theft or attack, noted Rob Whiteley, chief marketing officer for NGINX. On May 2, at Interop ITX, Whiteley will discuss "The Role of DevOps in Application Security," examining the distinct responsibilities dev and ops teams need to follow to ensure seamless alignment on application security.
Whiteley believes that secure applications can be effectively created by fostering the right development culture. He offered four guidelines designed to ensure that developers will focus on building strong security attributes:
1. Enforce practices such as minimum privilege and minimum data. Restrict project access to portions that are relevant to each developer. Besides lowering the risk of introducing vulnerabilities and mistakes, access restriction will also help ensure that compliance and privacy standards are met.
2. Applications are increasingly a mix of custom and open source code, so be sure that developer teams are testing for many kinds of security vulnerabilities. Look for patches from open source projects and quickly integrate them into development and testing since, in many cases, this is the benefit of paying for open source software support. If the open source component is mission critical to the app, the cost of the support often pales in comparison to the cost of the downtime or breach that may occur from exploiting any underlying vulnerabilities.
3. Update the current incentive policy. Reward more than just standard metrics such as completing projects, checking in code, developing new features or fixing bugs. Instead, reward for code quality, a low number of vulnerabilities, and rapid fixes to discovered vulnerabilities.
4. Inject code analysis tools and automated penetration tests early in the development process to make it easier to find and fix vulnerabilities in real-time as code is being written.
Ops teams should always be reminded of the need for strong application security by encouraging close collaboration with security experts and establishing a set of guiding principles. "The operations side of the equation is a bit easier [than development] as there are fewer behavioral changes that need to be made," Whiteley says. "The bigger focus for ops teams is on process change and building security into the CI/CD (continuous integration/continuous delivery) workflow."
To ensure that security is baked into the Ops side of DevOps, Whiteley suggests that Ops personnel:
Security breaches often cause downtime, leading to losses in revenue and reputation, Whiteley explained. "Plus, with increasing regulatory and privacy requirements, there are stiff financial and criminal penalties if applications and data are breached," he added.
Embracing DevOps security also gives organizations their best shot at keeping security budgets down, Whiteley observed. "Right now, many organizations enjoy a healthy security budget, given the risks of breaches," he noted. Yet the good times won’t last forever, he warned, “especially if the economy falls into in a downturn.”
[To learn more about the evolving role of DevOps in the enterprise, check out the DevOps track at Interop ITX 2018, scheduled for April 30 to May 4 at the Mirage in Las Vegas.]John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio