DevOps embraces security measures to build safer software
Contrast that to the overall response pool, where only 27% said they performed application security analysis at every stage. Forty nine percent of respondents said they performed application security analysis during QA/testing, and 45% said prior to releasing into production.
“Part of the increase in application security comes from the increased focus on training”
Part of the increase in application security comes from the increased focus on training. The survey found that 85% of respondents from mature DevOps organisations received some form of application security training to ensure awareness of secure coding practices.
But secure development within DevOps is less about blindly following required security practices and controls and more to do with thinking about making applications secure as part of daily practice, said Hasan Yasar, technical manager and adjunct faculty at Carnegie Mellon University. Developers are encouraged to adopt an attacker mindset to look for vulnerabilities in their own code and to build software with a reduced attack surface. If the application is quick to deploy and restore, then developers can worry less about being hacked and more about preventing predictable attacks and quickly recovering from an incident.
Bend not break
“Software should bend but not break,” Yasar said. “This shift in thinking from a prevent to a bend-don’t-break mindset allows for a lot more flexibility when it comes to dealing with attacks.”
Another area where security can work with DevOps is in the use of runtime application self-protection (RASP) and next-generation web application firewall (NGWAF) technologies. RASP and NGWAF give security, operations, and development teams visibility into attacks and data at runtime.
“Automation of application security will democratise security data, breaking down silos between groups while helping the entire organisation operate more efficiently,” said Shields.
While the survey paints a rosy picture—especially since DevOps still is not as firmly entrenched in software development as its advocates would like to believe—it still makes a compelling argument that automation makes it possible to integrate application security tools early into the development life cycle. Thanks to automation, vulnerabilities are found faster and fixed earlier, which is less costly than finding them in production or during penetration testing. When the tests become part of the CI/CD pipeline, code quality is higher, developers are happier about what they are producing, and security teams are satisfied because security policies are being followed.
Faster, cheaper operation
“Building the right AppSec tools seamlessly into the DevOps loop—your continuous release cycle—means your IT delivery value stream operates faster, cheaper, and at high quality,” said Helen Beal, a “DevOpsologist” at Ranger4, a DevOps consultancy.
Security experts have long advocated including security earlier in the lifecycle, and the survey findings show that this is already happening in some organisations. The survey shows that the rapid pace of development and deployment in DevOps isn’t somehow contrary to security, and that organisations have successfully managed to combine the two.
IDG News Service