Proponents say DevOps enhances security, naysayers contend it weakens security.
DevOps, which enables agile software development, is becoming an enterprise strategy that stands front and centre in organisations today. As the move to DevOps picks up the pace, information security executives often feel they are being pulled along reluctantly for the ride.
As more companies embrace DevOps principles to help developers and operations teams work together to improve software development and maintenance, those organisations also increasingly seek to embed security into their processes. Continuous automated testing improves application security. Increased visibility in operations improves network security.
Research firm Gartner estimates that DevOps is currently in place at about 25 percent of Global 2000 enterprises. The benefits they hope to reap from the move to DevOps include more agile and responsive development teams and faster time to market. This is because DevOps helps enterprises to clear app clutter through this increased use of automation, standardisation, and collaboration.
DevOps makes it easier for everyone involved to be transparent about what’s happening, why it’s happening, and what will happen next. That visibility is important for security teams, too, since security people don’t necessarily control network operations or the various systems.
The challenge for information security teams is ensuring that all of the best security practices and controls that they’ve been able to instill into their development methods follow along in the transformation.
Does DevOps help or hurt security?
“DevOps is an environment that is run by developers, who focus on app deployment and delivery, not security. The speed of rapid releases, automation, and continuous integration and deployment all make for less time to find security problems and vulnerabilities,” says William Udovich, regional director, CyberArk.
Specifically, the dynamic nature of the DevOps environment means new opportunities for privileged accounts proliferation, resulting in an extensive attack surface. Attackers recognise this and target the container ecosystem as part of the critical path to a successful cyber attack. In order to counter this, security needs to be built-in to existing DevOps processes, he adds.
Adrian Pickering, MENA regional head of Red Hat, believes there are four key principles to ensuring secure DevOps. “Configure the development, test and deployment environments identically. Perform all vital connectivity security reviews during the development process and make proactive changes to all three environments as needed. It is also important to make sure that only the IT security team can adjust network connectivity, VLAN and firewall,” he says.
There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can’t keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside.
Early proponents of DevOps have always argued that when done right, DevOps can actually improve security.
“Security expertise can be included in the development process to increase the chance of releasing a more robust product. Security and regulatory compliance should be a central component of any organisation’s DevOps process/methodology to ensure potentially disastrous security breaches are mitigated from the outset. Companies do have the capability to integrate security expertise into their DevOps team without impacting overall speed of development. Doing so might just save them from major issues at a later stage,” says Pickering.
DevOps naysayers contend, however, that DevOps also risks automating the wrong processes, or poor metrics move the organisation away from measuring actual security and compliance risks to only measuring those risks and threats that they can easily measure, thereby creating a false sense of security that itself can be dangerous.
“DevOps is all about speed and computing efficiency, but most things come with a price and that price is new security challenges and new attack vectors for cyber-attackers and rogue insiders. Security must not get in the way of DevOps processes, as to do so would defeat the object, so any added-in security must be optimised for the lighter technology stack of containers and for the elasticity and scale needed to support modern DevOps environments,” says Udovich.
Do deepening adoption and broader deployment of container technologies (from the likes of Docker, CoreOS and others) threaten to escalate into the latest skirmish between operations, developers and information security?
“Unfortunately, many security teams do not know enough about containers and the related security implications. Security teams do need to be proactively educated so they can effectively support the adoption of new container technologies and devise strategies to mitigate their risks. Many IT security teams today are flying blind when it comes to understanding when, where, and how containerised apps are created and deployed within their organisation and consequently, the most current security practices need to evolve to keep up with an increasingly containerised, DevOps-centric world,” says Pickering.
Aqua CTO Amir Jerbi says nothing would make everyone involved happier than if security could be baked into containers as part of the way they are built, shipped and run. “This is also the best way of minimising friction between the motivations of DevOps and those of IT security. Since security teams are often unaware of the processes that culminate in containers running in production, it is important to involve them in the definition of workflows and facilitate a knowledge transfer, so as to ensure that they are in a position to provide guidelines as to appropriate controls and practices they require to meet security standards and pass compliance audits.”