Digital Transformation & Software Engineering Services
InfoSec meets DevOps

InfoSec meets DevOps

Organizations are continuously learning how to adapt to the digital economy and its high release cadences. For some, this also means moving from a delivery methodology monoculture to a polyculture environment to address the varying needs between new and old applications. Adopting Agile methodologies allows the exploration of novel business models with a Minimum Viable Product (MVP) approach while catering to mission-critical systems that need to be maintained and evolved slowly and carefully meeting a long list of legacy constraints.

The transition to polyculture in delivery fostered learning and innovation. In the early days, long before MVPs, we used RAD (Rapid Application Development) with promising speed gains and new delivery methods, but used closed and monolithic stacks. Then came Java and the open source tidal wave. Continuous Integration (CI) expanded the good software development practices to all sorts of technology stacks beyond RAD tools while sustaining rapid paces. Continuous Delivery (CD) brought operations and developers closer through unified operating system on the server-side (Linux), and a radical shift in server provisioning through virtualization and Infrastructure-as-a-Service (IaaS). As CI pundits preached for face-to-face interactions, CD also brought operations and development closer in ways that could be beneficial to mission-critical systems as well as evolving MVPs to products and eventually, towards next-gen mission critical systems.

Banner-Ad-for-Blog-page-1--Digital-ServicesInterestingly, there’s joint progression of practices and technical innovation at work, in a sort of lock-step way. The contributions of Amazon to the way we provision hardware had a profound impact on architecture scaling and application deployment. And there are also other fundamental advances taking place. The world of industrial supervisory and control systems which instruments factory equipment and production lines is expanding to more common objects of our daily lives as sensor costs sink and units of computing shrink and get ruggedized. Internet of Things (IoT) as it is known, brings with it specific requirements as it makes its way into our fridges, cars, and street lights. Security is one of these requirements. And to a certain extent, advances in build automation for continuous delivery will also sustain these new requirements.

Awareness for security has been traditionally stronger downstream of development within the organization. This is changing with DevOps and InfoSec teaming up. Governance, risk and compliance data previously accessible by information security teams is now available in shared Wikis and enforced through automated tests by the CI tool. Consider the importance of this practice in IoT where code controls daily life appliances. But we’re not there yet. As the recent news on the Mirai malware show[1], security testing can be challenging and impossible with some form of automation to create (e.g. requisite Distributed Denial of Service testbeds). A recent report by HP Enterprise Security Fortify Team shows[2] in fact that only 1 in 5 extends security awareness and testing end-to-end to the development team and not just at production acceptance.

[1] https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937

One way to look at the lock-step relation between advances in test automation and CD automation which underpins DevOps and how it benefits security testing is through a Wardley map. Simon Wardley, a researcher for the Leading Edge Forum, has been refining a way to explore adoption of business strategies and competitive advantage through Value Chain Maps. His particular approach takes the Value Chain concept, turns it sideways and adds a time dimension. This 2D representation supports rich conversations around a specific context, pieces of interest and their relative position to an anchor as well as their movements across the space. Wardley has used this[3] effectively (among others) to talk about the emergence of scale-out scaling practices and DevOps based on his own experience.

Below, is a representation of the relationship mechanism which ties advancements in security testing and “DevSecOps” to evolutions in build pipelines and CD.

devops security content picture

[2] Application Security and DevOps, 2016, HP Enterprise Development
[3] See http://blog.gardeviance.org/2015/04/devops-weve-been-here-before-we-will-be.html

CD products already exist which sustain various build pipelines and their automation. They are represented in the map by the center block which evolved over time from left to right, as these products are maturing. Key is to notice that pipeline automation has pushed the state-of-the-art in practices such as test automation evolving from (1) to (2). These new practices and tools eventually enable the evolution of CD itself (3) in turn enabling commoditizing aspects of security testing practices in towards the right hand-side (4). Consider for example Mobile applications.

Mobile application development for example needs to consider security aspects across the server-side, the communication channel and the client-side. These aspects need to be well understood both by developers and system engineers such as web server configurations on the back-end, cookie rotation, handling of certificates, use of URL schemes or handling of copy/paste data in buffers. IoT will bring its own set of security requirements. Ensuring the bridges are in place to consider security aspects end-to-end is something that CD practices know how to establish. And this ultimately lets our security experts focus on the new vulnerabilities and advisories.

The same HP Enterprise Security report indicates that operations and development teams still have a limited understanding of each other’s domains and constraints. Developers themselves are barely able to keep up with the fast evolution of these domains. The good news is that advancements in practices are introducing automation services which will address some aspects of security and prevent at least unsophisticated attacks. Co-evolution of practices incorporating genuine cooperation across teams will be required to lift security awareness from the early phases of development and compensate for hard or impossible to automate considerations. DevOps remains key to enabling CD automation and ensuring security practices are adopted by delivery teams, at faster pace with that of cyber-threats against applications and things we love to use.

About the Author

Jean Paul de Vooght Jean Paul de Vooght
Jean-Paul is a Solution Architect and part of the Solutioning Team at Ness Digital Engineering. His role involves bridging delivery capabilities with innovation opportunities in Germany, Austria and Switzerland. His experience in Internet solutions spans from e-commerce and social media curation to data science sites for machine learning competitions.

Leave a Reply