DevOps & Security: Top 3 Myths Debunked

This post is based on our AppSec How-To Paper on Achieving Security in DevOps, which you can access here.

In DevOps, when you’re deploying hundreds, possibly thousands, of features and bug fixes a week, security cannot afford to be an afterthought. The beautiful thing about DevOps is that it’s a process that continues to get more streamlined, faster and more efficient – and your deployments will be that much better if they’re also fully secure before release time comes.

As DevOps is becoming trendier, with major tech disrupters like Facebook, Etsy, Netflix, LinkedIn and Twitter, 2014 may be the year that DevOps moves into the mainstream. But there are plenty of naysayers who reject the idea of a secure DevOps process with persistent myths guiding the conversations. Let’s spend a little time debunking the top 3 myths:

1.       There’s No Place For Security Within DevOps

Lots of people think there is little to no room in DevOps for security. This is simply not the case, and in fact there are plenty of added benefits – adding security in the earliest possible stage will provide the greatest opportunity for a product to withstand any attacks.

When people say there’s no place for security in DevOps, they really just mean there’s just no way for the security team to fit in with the DevOps teams. Traditionally, security teams have been seen as the outsiders, coming in to police the hard-working developers and cut them down to size. That’s been the culture up to now, and with that attitude there really is no place for security within DevOps. It’s about creating transparency and a unified workflow that will allow for a strong relationship between security and DevOps.

The key here is to engage your developers and get them involved in the security process. Get them to understand your process, take them to OWASP meetings, teach them the basics of secure coding and they’ll feel more connected to why they’re making their code safer.

2.       Security Slows Down Deployments

If you’re not implementing security right, then this myth could very well be true. However, security within DevOps is meant to be automated and can (and should) be designed so that it gets faster and better with each new deployment.  When security and automation is well integrated in DevOps, the benefits are definitely there:

  • Automating attacks against code in pre-production and using that as the first line of defense before even reaching production
  • Being able to continually monitor and test the production environment using automation
  • Using code analysis tools throughout development for quicker detection and a more integrated approach

3.       There’s No Room For Older Tools:

While traditional security methods don’t always allow for the required speed and automation required by DevOps, they shouldn’t be automatically tossed aside. While penetration testing, for instance, can take weeks to finalize the tester’s assessment and without consolidated results, can take upwards of a month to track down the fixes that need to be made, pen-testing can still be incredibly valuable for ensuring military-grade security every six months or so. Having your customer pen-test your software can also be a great way of helping build transparency and confidence in your product.

Another popular yet traditional security method has been using WAF (Web Application Firewall), which can be great in slower environments. Again, with the speed and fluidity required in DevOps, a WAF that requires a lot of tuning to do its job becomes more of a hassle than a serious asset. Continuous deployment becomes continuous configuration if you’re strictly relying on a WAF in a DevOps team. The WAF can and should be used for the more stable parts of the Web app, with a fine-tune every few months to ensure that it’s still protecting against the right stuff.

The other method used has traditionally been code analysis, which if not automated and customized can become more trouble than its worth. But while code analysis tools can take a long time to set up and find bugs on a large scale, they can be used on a smaller scale in DevOps to ensure the security of any code that may be especially sensitive.

 

Security should be integrated into your SDLC in a way that makes it a default part of the process. The better integrated security is into your DevOps process, the easier it will be to find and fix those bugs holding you back from deployment. With the rising popularity of DevOps comes a great opportunity for the security industry to get better, faster, stronger and more efficient.  Building a secure foundation from the ground up is what will help make and keep you successful – and what will take security within DevOps from myth to reality.

This post is based on our AppSec How-To Paper on Achieving Security in DevOps, which you can access here.

The following two tabs change content below.
Sarah is in charge of social media and an editor and writer for the content team at Checkmarx. Her team sheds light on lesser-known AppSec issues and strives to launch content that will inspire, excite and teach security professionals about staying ahead of the hackers in an increasingly insecure world.

Latest posts by Sarah Vonnegut (see all)

Jump to Category