\\This webinar was part of the Engineer Your DevOps Webinar Series, led by Coveros CEO Jeffery Payne and DevOps Practice Lead Rich Mills. The special guest was Glenn Buckholz, a Technical Lead on DevOps work at the Department of Homeland Security for Coveros. Glenn has worked with a wide range of federal and commercial customers implementing DevOps solutions and has been instrumental in the security aspects of DevOps.The recording may be watched here: https://attendee.gotowebinar.com/recording/518257370917328130

Refreshing the overall concept: what is DevOps and DevOps engineering?

We believe that DevOps is at the center of Agile delivery.  In order to get through short sprints of implementation you need to automate your build and test process.

The way we see it, DevOps is a must if you’re Agile. Even if you’re not Agile, there are ways in which DevOps can benefit you.

DevOps is a philosophy, a way to get people to communicate together to bridge the gap between development and operations; this includes developers who are building, the testers who are testing, the security analysts who are analyzing and the business owners who need data to make decisions.  It’s less about the tools and processes, they just support the idea of communication and collaboration.

How do you integrate security into your DevOps solution?

Throughout the delivery pipeline, you set up mechanisms that gate quality in order to achieve a high level of confidence in the quality of code and the application as a whole. As a key component of quality, where does security integrate into this pipeline? As we promote into the next world, how do we determine together whether software’s ready to move on?

In the beginning, developers are committing code into the repositories to share them on a continuous basis with the goal of building and testing code to integrate high quality code into the master branch. During the build you can employ secure code scanning, various role testing, validating some of the input.

Unit testing can employ a technique called fuzzing, where you inject “weird”/unintended input into the various inputs, to detect race conditions in the application.  You want to answer the question: Am I effectively handling all the types of inputs that could be provided to my application?  You also do role testing, checking how the authorization and access control systems allow certain roles to do certain things.

Security testing of the deployed application takes place often through your functional regression testing. You test the exceptional conditions, what can go wrong?.  And it’s not just component-level security we’re talking about.  Platforms need to be analyzed as well.  With some lightweight penetration testing – scanning and running in the background – proxies passively monitor and alert you to potential security problems.

You can also evaluate security of open libraries, analyze what versions of components you are using to determine if your code is susceptible to attacks by the underlying weaknesses in the libraries you are making use of.

Finally, fully deployed into pre-production, you’re doing penetration testing, privacy testing, examining our hosts, and determining security compliance.  You’re looking at sequence injection problems, defending against attacks anchored in the code.

Tips for Achieving Continuous Security

  • Avoid the “big bang” approach to security. Try instead to deal with small bugs as early as possible instead of only dealing with them late in the game.
  • There are a lot of free tools out there that are good at finding bugs and have some level of security wrapped into them. Also there are things like Fortify that are security-focused static code analysis tools that you can pay for.
  • Automated security testing helps you find security problems as early as possible and detect risks. This provides incremental improvement of the application and system security of the hosts and the way everything is configured.
  • You want to try and fail the build. Nothing can move forward until the security problems get fixed.  This sets the posture for a truly secure approach.

Feedback is Key

The whole point is to get overlapping feedback loops – different sense of time and granularity.  Structure your analysis for rapid feedback. Run quick checks continuously and more comprehensive scans overnight or on the weekends.

By automating security testing in your DevOps Ssolution, you capture the knowledge to know what risks actually exist in your application early and often.

REGISTER NOW for Dashboards & Quality Gates: Making Your DevOps Visible on August 4, 2015 https://attendee.gotowebinar.com/register/4949108912318319105

Leave a comment

Your email address will not be published. Required fields are marked *