Exploring The Rugged Frontier of DevOps – Security

January 12, 2017

Here are three best practices for DevOps security.

Security is one of the most important attributes of modern systems. But as we can tell from the news, security is often implemented as an afterthought. 

In many organizations it’s made the responsibility of a team outside the system administration and development teams, and has to try to influence those other teams to come up with a secure result.

In the LinkedIn Learning course DevOps Fundamentals I taught with James Wickett, we explore the benefits that a DevOps approach has to information security. And it starts by following the Rugged Software initiative. 

The Rugged Software initiative was started in 2010 by infosec luminaries Joshua Corman, research director for the enterprise security practice at The 451 Group, Jeff Williams, OWASP and David Rice, author of Geekonomics. 

The Rugged Manifesto reads, in part:

    “I am rugged and, more importantly, my code is rugged.
    I recognize that software has become a foundation of our modern world.
    I recognize the awesome responsibility that comes with this foundational role.
    I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

    I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security.

    I recognize these things – and I choose to be rugged.”

This re-focusing on the security awareness of the individual practitioner made for a high degree of alignment with the emerging DevOps movement. Under the labels Rugged, DevSecOps, DevOpsSec and similar titles, the DevOps world has begun work on how to use a more agile approach to solve the tenacious security issues faced by our systems and applications. 

The shortcomings of traditional InfoSec approaches – separate significantly understaffed teams trying to solve others’ problems in isolation – mimics in many ways the issues faced by operations teams pre-DevOps.

Some of the most effective DevOps techniques to use to improve InfoSec are:

  • Infrastructure as Code: Where systems are not manually provisioned, but automatically from recipes in source code, provides extremely auditable systems. Those blueprints can be verified by compliance auditors and easily reviewed for security best practices.
  • Security Testing In Your CI Pipeline: Tools have been developed to regression test your application’s security with every build, not just every once in a while.  Security then benefits in exactly the same way that quality does from small batch builds that can pinpoint the root cause of new failures so they can be fixed immediately.
  • Teamwork: Completely separate dev and ops teams have proven to be an antipattern. Similarly, security groups have discovered how to recruit security champions in product groups, make “security buddies” to act as liaisons to a central security team and surface security metrics so that success is a “we” activity not a “they” activity.

The DevOps Audit Defense Toolkit is a great resource to use to make yourself compliance-ready with DevOps!

Want to learn more about DevOps? Check our Mueller’s and Wickett’s LinkedIn Learning course, DevOps Fundamentals.