An Introduction to Secure DevOps: Including Security in the Software Lifecycle
The term "software security" often evokes negative feelings among software developers because it is associated with additional programming effort, uncertainty, and road blocks on fast development and release cycle. To secure software, developers must follow numerous guidelines that, while intended to satisfy some regulation or other, can be very restrictive and hard to understand. As a result, a lot of fear, uncertainty, and doubt can surround software security. This blog post, the first in a series, is based on a keynote I recently delivered at the International Conference on Availability, Reliability, and Security (ARES). In this talk I describe how the Secure DevOps movement attempts to combat the toxic environment surrounding software security by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems.
A Proactive Focus on Software Security
Emphasizing a set of DevOps principles enables developers to learn more about what they are developing and how it can be exploited by others. Rather than just blindly following the required security practices and identified security controls, developers can understand how to think about making their applications secure. As a result, they can derive their own creative ways to solve security problems as part of understanding the challenges associated with secure software development.
Rather than reacting to new attacks, secure software should be proactively focused on surviving by providing reliable software with a reduced attack surface that is quick both to deploy and restore. In other words, developers should worry less about being hacked and more about preventing predictable attacks and quickly recovering from cyber incidents as part of their development activities.
In the past, software security focused on the nature and origin of attacks, as well as measures for preventing attacks. However, most attacks-especially sophisticated attacks-can't be anticipated, which means that fixes are bolted on as new attacks are discovered.
The inability to anticipate attacks is why we often see patches coming out in response to new zero-day vulnerabilities. Secure DevOps developers would rather their software absorb the attacks and continue to function. In other words, it should bend but not break. This shift in thinking from a prevent to a bend-don't-break mindset allows for a lot more flexibility when it comes to dealing with attacks. Ensuring a secure lifecycle requires the development team to focus on continuous integration, infrastructure as code, continuous deployment, and automated integrated development platform.
Applying DevOps Principles to Software Development Regardless of Size or Industry Type
The burgeoning concepts of DevOps include a number of best practices that can be applied to increase the security of developed applications. These best practices include the following
- adding automated security testing techniques, such as fuzz testing and software penetration testing, to the software development cycle or system integration cycle
- standardizing the integration cycle to reduce the introduction of faults
- introducing security concerns and constraints to software and system development teams at the inception of projects, rather than applying them after the fact
Applying these and other DevOps principles can have a big impact on creating an environment that is resilient and secure. In future posts in this series, I will discuss examples of how DevOps principles were applied on projects, along with lessons learned and ideas on applying these principles to the development and acquisition processes. I will explain how to address security concerns early in the development lifecycle and present strategies for addressing these threads at many decision points. The series will conclude with a reference architecture that helps integrate automation security analysis during integration or in deployment and delivery phases.
We welcome your feedback on the DevOps blog, as well as suggestions for future content. Please leave feedback in the comments section below.
To view the webinar DevOps Panel Discussion featuring Kevin Fall, Hasan Yasar, and Joseph D. Yankel, please click here.
To view the webinar Culture Shock: Unlocking DevOps with Collaboration and Communication with Aaron Volkmann and Todd Waits please click here.
To view the webinar What DevOps is Not! with Hasan Yasar and C. Aaron Cois, please click here.
To listen to the podcast DevOps--Transform Development and Operations for Fast, Secure Deployments featuring Gene Kim and Julia Allen, please click here.
To read all of the blog posts in our DevOps series, please click here.