25 Jun Reinvent Devops for Security to Avoid another OPM Breach
Chilling repercussions of the devastating OPM security breach are reverberating across the enterprise software industry. The full extent of the unprecedented cyber espionage is not revealed yet, but sources indicate that sensitive personal information of up to 3.2 million federal employees was compromised. Attempts to contain these damages and prevent future infringements are already underway.
While government organizations can do little to defend against sophisticated cyber-attacks with standard security deployments and practices, the root cause of such incidents is tied software vulnerabilities in age-old legacy solutions still in regular use. IT companies responsible for software development and updates are required to inject security into the product from the ground up, instead of forcing customers to invest in additional security solutions as their last line of defense.
Software development methodologies such as Waterfall and even Agile are slowly going down the drain (to some extent, at least) when it comes to modern security-oriented development best-practices. DevOps, as a promising (relatively) new development methodology enables software development with high levels of security intent that lacked previously. The rage surrounding sever security breaches such as the OPM incident is forcing software companies to come up with new security-centric development methodologies. Applying basic DevOps principles (with a little bit of tuning) to maintain continuous security throughout the development and post-release phases is critical to design the software application as a security fortress in itself.
Tuning DevOps for Continuous Security
On the surface, DevOps is an ecosystem, ideology and culture that brings Dev, Ops and QA under a single umbrella of automation to support continuous delivery. The DevOps system facilitates Agile practices throughout the development life-cycle such that end-products are developed iterative in usable bite-sized chunks. The Agile Manifesto promised similar outcomes but learnings from the prevalent adoption of ineffective Agile development methodologies demonstrates the lack of security intent with lightning-fast development sprints and cutting the corners in QA for faster deployment. DevOps is a powerful paradigm shift aimed at addressing these loopholes in Agile Dev and Ops practices to an extent that has earned security a place right in the title itself: DevOpsSecOps, DevSecOps, SecOps, OpSec – the list goes on.
DevOps brings a cultural change to align Dev, Ops and QA by establishing shared responsibilities across siloed teams and IT functions. Devs must undertake the responsibility to improve security with every build. Injecting code analysis into the development phase allows Devs to fix defects prior to deployment. Empowering them with sophisticated security analysis, monitoring and assessment tooling can ensure security is built into the product from the ground up instead of testing only later into the development life-cycle.
It is important to understand that cyber crime has emerged as a consistent and continuous threat to enterprise software users. DevOps brings a whole new dimension to enterprise security by forcing DevOps teams to deploy protection mechanisms in lean cycles instead of relying on big-bang releases. The security protection has to work as a continuous process and incorporate defense against present as well as future threats within the security mechanism. Throwing iterative builds into virtualized production-like testing environments, continuously testing for vulnerability by automating attacks against preproduction builds and correlating the threat surface with contextual information is one approach to realizing real-time adaptive security.
The crux of achieving continuous security is to test early, often and throughout the software development life-cycle. Testing should begin as soon as the code is committed. Conducting tests in parallel, eliminating test dependencies, correlating results from multiple iterative build tests and using trends analysis accelerate diagnostics and portray the security big picture for DevOps teams to take into account.
Automation is the key to continuous security especially since the business use case of DevOps offers no soft spot for traditional, time-consuming manual testing models. Continuous security necessitates repetitive testing for various combination of system configurations, component integrations and operating systems. It is not financially viable to allocate costly network infrastructure resources for testing when not needed. DevOps teams must use service virtualization to set up development, integration, QA preproduction, staging and post-live monitoring environments and optimize resource utilization while ensuring end-to-end, continuous testing.
DevOps teams should also ensure high stability of the underlying testing infrastructure supporting continuous and uninterrupted DevOps cycles. A fast-response multi-discipline team should be prepared and present to address system instabilities such as outages and false alerts to ensure continuous testing system stability.
DevOps encourages standardization on a common tool set and practices to focus on strategic initiatives that help integrate quality into every build with faster delivery cycles. This approach reduces the stress on security operations since standardization is a prerequisite for effective automation, which in turn is a requirement for developing high quality software.
And when there’s a lot of automation going on with the code delivered continuously, DevOps teams can integrate audit-worthiness into the automation framework. Each process is already measured and tracked to establish well-informed decisions regarding DevOps performance. From a security standpoint, the same capabilities can also be extended to leave audit trails when software defects emerge and raise flags to call for immediate fixes exactly where required.
But that’s Still DevOps!
All of the DevOps tuned for security sounds much like SecOps itself – or DevSecOps, or whatever the next proposed security-oriented SDLC methodology is called. From a security perspective, DevOps as an SDLC methodology is already serving three enterprise IT security goals:
- High availability of information, resources and tooling when needed.
- Integrity of the system and information to prevent manipulation for performing unauthorized functionality.
- Securing confidential information that must not be disclosed to unauthorized parties.
The promising example of DevOps driven organizations such as ETSY encourage organizations to embrace the DevOps movement. However, it is important to understand that it takes quite a bit of cultural, process and technology change for similar levels of performance, quality and security to take effect. These changes are critical for software vendors to develop enterprise-grade IT solutions capable of warding off the persistent cyber threat facing government and business organizations.