DevOps is a hot topic and every enterprise is trying to implement it to stay relevant in the industry. When I was introduced to DevOps I was highly skeptical that it would work because we were talking about over 40 deployments in a day and with lead times that were about 200 times shorter. I was deeply concerned about the security and robustness of these builds being deployed as the only artifacts that supported this was from smaller companies and there was nothing to prove it worked in large enterprises. That was my jittery start with DevOps.
Then, the closer I got to DevOps, I felt there was nothing new as I grew up coding using XP and the practices that were in DevOps such as dark launching were just a part of the things I did during my XP days.
So, I had to dig deeper past the hype to see the value and calm my concerns about security. I pleasantly found excellent ideas and patterns that could add value to the way we can build robust, secure and risk-free systems. The one thing that got me to my first “aha” was the proven ability of systems to recover almost 150 times faster than normal.
We are going to explore some of the important things that we can and need to do to achieve these kinds of results by enhancing security and enforcing compliance all at the same time. Sound interesting?
Before we get into the need and details about DevSecOps let us quickly refresh the advantages of DevOps along with a few challenges.
The answer to all of the problems above lies in the magic of DevOps + Security or DevSecOps. I will explain some ways we have been able to solve these challenges by wiring security and compliance into DevOps.One of the most important things to start our journey into DevSecOps is to Shift Security Left. We need to introduce security earlier into planning, design, coding and into automated test cycles instead of doing it at the very end like we do today just before the release.
A great example for this is the popular story of DevOps at Etsy. Etsy’s security culture is built on top of its engineering culture and connects with the entire culture of the organization. The driving principles for this are:
Etsy’s security team also takes a number of steps to build relationships between security and engineering so that they blend into the overall culture of the company.
The next important thing to follow to ensure having security built in is to follow OWASP proactive controls which is a set of development practices, guidelines and techniques that we should follow to build secure applications. These practices help shift security left by injecting security into planning, design, coding and testing. When we start following these practices, we are in turn creating the process of making Security as Self-Service. We want the teams to be able to inject security seamlessly the same way we provide automation or virtualization. For example – At Twitter, security checks are run automatically every time a developer makes a change. They use tools like Brakeman to the check the code for security vulnerabilities and provide feedback directly to the developer if something is found. Developers also have a “bullshit” button to reject false positive findings.
Another key to DevSecOps is Infrastructure as Code - managing infrastructure configuration in code using tools like Ansible, Chef, Puppet, and Salt. This speeds up and simplifies provisioning and configuring systems, especially at scale. It also helps to ensure consistency between systems and between test and production, standardizing configurations and minimizing configuration drift, and reduces the chance of an attacker finding and exploiting a one-off mistake. Security teams can also use Infrastructure as Code to program security policies directly into configuration, continuously audit and enforce policies at runtime, and to patch vulnerabilities quickly and safely. A good example for this is a service called UpGuard.
The bottom line is to continuously build security and compliance into the code while building the CI/CD so that when you are ready, security or compliance is not going to a stage gate to stop the flow. In the organizations that I have been engaged with, moving to DevSecOps always starts with DevOps and continues as a journey making small changes along the way. It requires new skills, open thinking, new tools, and a set of new priorities. So, start small but start soon! Be safe!