Secure DevOps basics: A guide for developers

by Colin Domoney

At the center of any successful DevOps initiative is a simple but often overlooked concept: Because developers drive the software agenda, their participation is crucial to achieving a more secure framework. But simply acknowledging this fact won't get the job done. As a developer you need to be at the center of an application security strategy for it to be effective. Secure DevOps, also called DevSecOps or rugged DevOps by practitioners, is the next evolution.

Today, nobody disputes the need to move fast and deploy code quickly. An agile framework underpins success in the digital age. But rapid innovation can conflict with stability and security. Without security, DevOps merely introduces vulnerabilities into software faster.

To resolve these conflicts, you need to close the gaps in feedback loops. Too often, teams are not effectively integrated, and these connecting and intersecting loops—often between different teams, but even within the same teams—aren't optimized effectively. This results in gaps and problems with code development, leading to slower delivery schedules and vulnerabilities that increase security risk.

In many organizations, the underlying problem is that security isn’t addressed until the end of the software development lifecycle. The result? Developers find creative ways to work around security controls that slow them down or create more work. In the quest to move quickly, developers inadvertently create new, bigger problems. 

The goal of secure DevOps is to introduce a framework that builds a bridge between fast and secure software development. Here are the keys for bridging that development gap between speed and security.

Build a security culture

To start, culture should focus on openness and ongoing learning. Within the secure DevOps world, trust and cooperation are everything, and ongoing training and learning pay enormous dividends. As you build a culture that emphasizes openness and learning, establishing strong feedback loops will be key. Moreover, security champions who understand security within both the Dev and Ops groups will be necessary to help in transitions, infusing their knowledge and enthusiasm while bolstering team autonomy. These leaders will empower their teams and give them the authority to determine many of their own processes and tools based on their needs.

Keys:

  • Build and maintain a culture of learning, candid exchange of ideas, and strong feedback loops.
  • Establish security champions to empower other teams to be more secure.

Automate and autonomize security

The ability to automate security testing—through scripting, static and dynamic analysis, composition analysis, and integration of testing with existing tools and within processes—goes a long way toward identifying flaws early in the lifecycle and speeding up the delivery of secure code. It’s better to fail early, at the developer's desktop, than late, on the customer's laptop or smartphone.

Once the transition is made, don’t accept high false positives—too many, and developers will start distrusting the results and work around the tools. Finally, it will all be for naught if there is no emphasis on orchestration. All systems are prone to bugs and errors that can only be overcome through the orchestration of code and systems during rapid spin-ups and shutdowns. Equally important: Teams must be empowered to act without waiting for edicts from the CISO or other security professionals.

Keys actions include:

  • Automate security testing and monitoring tools into relevant stages of the software production pipeline, especially the early stages ("shift-left").
  • Reduce false positives; otherwise, the results of tests will be ignored.
  • Build robust infrastructure-as-code and security-as-code orchestration.
  • Teams must have autonomy to quickly move these steps forward or loop backward.

Measure the results of cultural and technical shifts

All changes should work under a holistic model that encourages team autonomy and high levels of communication, responsibility, and accountability. This includes regular code reviews, security exercises, and performance measurements and benchmarks. Furthermore, response mechanisms and procedures should be established, such as code-grooming guidelines, threat-modeling methods, and policies for developers to escalate issues to the security team. Enterprises that promote the right culture, embed the right technology, and develop robust processes tied to metrics and key performance indicators (KPIs) create a secure DevOps framework that reduces problems and minimizes emergencies.

Keys actions you should take include:

  • Employ regular:
    • Code reviews
    • Security exercises
    • Performance measurements and benchmarks
  • Establish:
    • Code-grooming guidelines
    • Threat-modeling methods
    • Policies for developers to escalate issues to security champions
  • Tie process to metrics and KPIs.

Take the next step

According to the 2016 State of DevOps Report, just 22% of organizations have made the switch to DevOps. Even among those organizations, DevOps is not uniformly used across teams and products. However, there are some examples of organizations that have successfully adopted DevOps and are on their way to secure DevOps. They’re demonstrating that a highly focused approach results in net gains for development teams, the enterprise, partners, and customers.

For instance, Capital One moved from a waterfall approach to a continuous deployment environment that relies heavily on containers, microservices, and cloud technology. CIO Rob Alexander said this has helped reduce bureaucracy and technical debt. And Netflix is often seen as a unicorn in the DevOps world. With DevOps at the center of everything, its applications run on a variety of viewing devices to create a seamless technology interface. So how can you get on the same trajectory?

Here are two easy steps you can take immediately:

  • Join and contribute to the Open Web Application Security Project (OWASP) or promote certifications such as the ISC2 Certified Secure Software Lifecycle Professional (CSSLP) within your organization.
  • Take advantage of online training options, such as e-learning offerings from app sec companies or even YouTube, as a starting point.

Secure software is a journey

Secure DevOps presents enormous opportunities and challenges. To get there, you must break down the barriers that block the three Cs of DevOps: communication, collaboration, and cooperation.

Developers who help build a framework that supports secure DevOps are poised for a level of speed, innovation, and disruption that puts them and their organization at the forefront of the application economy. Don't panic. Embrace change, and you will be rewarded.

Additional resources

The learning part of becoming a secure DevOps organization is never over. Use these additional resources to learn more about how to make your team produce the most secure code possible without sacrificing speed.