Discover PerformanceHP Software's community for IT leaders // July 2014
A simple plan for secure DevOps
IT’s push to break down the development and operations silos is an opportunity for security to add value, says InfoSec expert James Wickett.
DevOps—the movement to break down silos, deliver software faster, and overall create a better experience for customers—is spreading from startups and experimenters to the enterprise. Many CISOs would cringe at the idea of faster development cycles in an IT department that has even less time and patience for standard security checks, but James Wickett, a senior DevOps engineer, sees not just opportunity, but necessity.
"Traditional information security is going to die if we don’t respond to the way the business is moving," says Wickett, a speaker, author, and founder of the Gauntlt Rugged Testing Framework. "The business now knows there’s a competitive advantage in not letting a bunch of code sit on the shelf and gather technical debt. Security has been partly to blame for slow releases, often done in the name of audit and compliance. Security’s new role is to not be a blocker, but to help deliver audited, compliant, and security-tested code faster."
Security teams have to embed themselves into increasingly Agile software processes, and drive an awareness of good security practices on the part of developers. Reforming your testing processes is the cornerstone of this change, but before you get there, you’ll have to kick off a cultural shift that gets security people to think about how security serves the business.
From black hat to many hats
"A lot of times, security people tend to silo themselves away," Wickett says. "They use their own operational tooling and testing practices that others in the organization don’t know much about." CISOs trying to lead an acceptance of DevOps practices should do as much as they can, he says, to get their teams thinking and acting like part of the mainline organization.
For example, Wickett suggests that you could skip RSA or the Black Hat conference in lieu of Agile conferences like Velocity or Strata. Send security people into as many cross-functional events and meetings as possible to help them cross-pollinate and see the organization objectives in a new light.
Most importantly, do value stream mapping to help the security team see its work in the context of the business’s highest-level goals. The security people must be able to align themselves with the business mission, as well as the reasons for adopting DevOps practices.
Waterfall’s last stand
DevOps is rising rapidly to prominence because it works on both ends of the spectrum of software delivery; and by joining the disparate groups of development and operations, an overall better product gets delivered. For security teams, that means letting go of traditional workflow models that cluster a huge testing effort at the end of a monolithic release cycle or around compliance and audit cycles. Instead, Wickett says, testing efforts need to be more continuous, better automated, and supported with real-time monitoring and analysis.
To ease the transition, Wickett recommends that CISOs focus their efforts in two areas:
1. Inject better security testing inside your delivery pipeline. The key here is getting your security testing tools set up as automated tests and critical checkpoints along the way, so that security isn’t creating a bottleneck. "The old way of security testing code is a really long process," Wickett says. "Moving your security tests closer to where the code is being written is where the information security team can add real value to the DevOps movement."
2. Find ways to instrument, monitor, and respond in real time. Today, real-time data analysis can alert you to erratic or suspicious activity almost immediately. The expectation, for operations and security alike, is to be able to have insight into that activity, and isolate and respond to problems as needed. Information security, Wickett says, has been in a silo and slow to share across the organization.
"Right now, dev and ops have more dashboards, monitors, switches, levers, and knobs to know what is happening and make changes to the site in real time," he says. "Security needs to adopt instrumentation and monitoring that can be added into these dashboards and monitors, thus becoming more transparent in the organization." With the faster delivery cycles, you’re always releasing new code. A solid attack detection and monitoring strategy is key.
"More rapid testing cycles, combined with better real-time monitoring, will help you not just to keep up," he says: "You will add tremendous value to the business."
Just make sure the tooling reforms are preceded by business alignment and cultural acceptance of Agile. "Tooling is not going to help you if you have significant deficits in those areas," Wickett says.
Senior DevOps Engineer James Wickett is a proponent of Rugged DevOps—the joining of security and DevOps—and he founded the Gauntlt open source project to serve as a Rugged Testing Framework. Find him on Twitter @wickett.
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.