How DevOps Helps Enhance Application Security


DevOps and agile fall into the same league. Most RSA panelists at the RSA 2013 conference agree with this, which is why they say that the techniques of the DevOps movement are designed to bring developers and IT operations into closer alignment for greater agility. The question is, with the deeper interconnection between development, deployment, and operations how does that affect each layer of security?

We all understand that how difficult it is for developers and operation teams to work hand in hand, within a production environment. And that’s why DevOps ring was created where these so-called ‘natural enemies’ cooperate with each other in the march toward pushing production code live. This countercultural DevOps movement eliminates clashes between the two groups and implement faster, more bite-size code deploys at more frequent intervals, hence facilitates agile development.

When we talk about an agile IT environment where volume and speed of deploy rates are shooting, the security of applications becomes a matter of concern–the worrisome one. But a panel at the RSA Conference recently showed how the agile shift could actually help security teams seeking to insert themselves into the development process for a more rugged enterprise application infrastructure.

“What I find so amazing about studying DevOps organizations is that they have a culture that embraces security,” said Nick Galbreath, vice president of engineering for IPONWEB. He described DevOps as a much more healthy way of developing code within an enterprise. “The great thing is that all of the tools that you use to enable security layers right on top of DevOps. Having these tools that developers in operations use together to make things to go faster is just a great way for you to get your [security] job done.”

Being a technical writer at an IT enterprise, and a DevOps advocate, I have a hands-on experience working in similar environment where developers, testers, and operation teams find hard to collaborate and keeping in sync with each other. But agile and DevOps practices help a lot – in automating things, testing sharply, and giving out fool proof releases.

In fact, DevOps encourages automated testing. RSA panelist David Mortman, chief security architect for enStratus has similar viewpoint,

“If you watch a lot of DevOps talks on the dev side, they talk about automating all of your unit tests and functional tests and integration tests,” he said. “So one of the things I’m doing is working with one of our engineers to add security unit tests and functional tests to the code they’re already writing. So that way, every time someone gets code properly committed, it gets tested for all of these things [and] if someone broke something or potentially broke something … you find out immediately.”

So, the idea behind is that frequent but smaller code deployments greatly reduce the complexity within each deployment, leading to less security bugs and exponential affect on security and stability. Tu sum it up, security isn’t just about penetration testing or watching a system that’s running: it’s about releasing secure code and feeling confident that it’s secure before release. Testing code BEFORE its set to the wild to detect things (like SQL injection, buffer overflows, uncaught exceptions, etc.) means less headaches for the information security teams later.