Research from the Gartner Group has demonstrated that nearly 75% of successful attacks made against an application are exploiting vulnerabilities which are already well understood, and for which a patch or remediation recommendation for is available. Some say that DevOps can by its very nature make software less secure. That’s because DevOps teams work with agile methodologies, and often in continuous deployment environments that may quickly fall behind the application security practices used in environments with fewer deployments.
It’s suggested that DevOps Security suffers from an inherent weakness in these environments where the organization begins to lose a cohesive communications structure because of the rapid nature of the work. The added responsibility given to each developer over the quality of their code means that it is up to them to ensure the code meets their organization's application security policy. Unfortunately, since developers are not all proficient in the intricacies of secure coding, this can lead to areas in the application that are vulnerable to attacks.
DevOps becomes DevOps Security
DevOps teams don’t exist in isolation from the organizations they serve. The rapid evolution of applications through agile methods is a huge gain when it comes to testing and rapid deployment of robust systems. So the question is not if DevOps is inherently insecure, but rather how it is that DevOps teams can integrate security into their development lifecycle.
DevOps Security really involves bringing security closer to the development of the application. It shouldn’t be viewed as an optional extra or a function of another team to provide. Instead the ideal DevOps Security environment is one where information security is prioritized. It becomes an adaptive and ideally programmable function so that from inception, applications and services are understood to need information security, and that this requirement is part of the design and testing phase throughout the application’s development.
DevOps Security and Continuous Application Deployment
Continuous application deployment environments are no different. If DevOps Security is part of application design then it will also be part of the test design for the environment. That means as an application is deployed, it should be tested. It may not be possible to test 100% of your code but as with any test environment it’s possible for a DevOps team to identify security priorities for testing. Coverage of high-risk areas should be 100%, and areas that represent a much lower risk for exploitation and/or minimal consequences in the event of a security breach may receive a lower priority.
Unit-testing in particular allows for security processes to be tested on the fly, as the application is deployed. Security should be part of the strategy for integration and final systems testing too. It’s likely that a Security oriented DevOps team will focus on regular unit tests and occasional integration tests throughout the development cycle and then use system testing to ensure lower risk areas are appropriately managed at the end of development.
There is no inherent weakness in the DevOps theory or usage - it just needs to ensure that appropriate precautions are taken to focus on security as part of development.
Checkmarx’s code scanner enhances the introduction of security to the DevOps methodology. It will scan code before it has been compiled so that security analysis is supported right from the start of the development lifecycles. There are several plugins available for InteliJ, Visual Studio and Eclipse where the developer may initiate a scan from within the development environment. They then receive the results with any security vulnerabilities identified. These vulnerabilities are detailed by severity, allowing the developer to prioritize mitigation. The vulnerable code is flagged too and that allows a member of the DevOps team to identify the best fix locations and come up with the most effective remediation advice.