VERACODE EBOOK 5 FIVE PRINCIPLES FOR. Securing DevOps

Similar documents
A DIVISION OF. DevOps Automation. Service Catalogue

Introduction. Your Software: Faster. Stronger. Better.

Seamless Application Security: Security at the Speed of DevOps

Enterprise DevOps with Plutora

Leading a Successful DevOps Transition Lessons from the Trenches. Randy Shoup Consulting CTO

The Need for Speed: AppSec in a DevOps World John B. Dickson, CISSP

Five DevOps CM Practices

July Business Transformation: Ness Technology Makes DevOps and Continuous Integration Reality with DevTestOps Center of Excellence

INTEGRATING SECURITY WITH DEVOPS TOOLCHAINS

The Challenge: Balancing Change and Control of Continuous Delivery at Scale

HP Software EMEA Performance Tour Zurich, Switzerland September 18

Measuring DevOps Success

On various testing topics: Integration, large systems, shifting to left, current test ideas, DevOps

DevOps Guide: How to Use APM to Enhance Performance Testing

SMART AUTOMATION: ALLOWING THE MODERN ENTERPRISE TO SURVIVE AND THRIVE

Integrating Configuration Management Into Your Release Automation Strategy

Building a DevOps Culture MTUG IT Summit and Tradeshow, June 2 nd 2016

Conclusion.

GDPR COMPLIANCE: HOW AUTOMATION CAN HELP

Pivotal Ready Architecture by Dell EMC

The Agile Cultural Shift: Why Agile Isn t Always Agile

Red Hat Open Shift Container Platform

Succeeding in the Journey to Agile and DevOps

Capgemini Cloud Platform. Migrate, operate, and innovate every aspect of your business in the cloud

Enable your Agile Team with Continuous Delivery Pipelines

1. Balance Tech Debt. 2. Automate Security. 3. Provide Self-Service Resources. 4. Implement Success Metrics. 5. Automate Continuous Delivery

The Optanix Platform. Service Predictability. Delivered. Optanix Platform Overview. Overview. 95% 91% proactive incidents first-time fix rate

Achieving Balance: The New Pivotal Points of Software Development

DevOps. Bringing agility all the way up to Production

Application Lifecycle Management (ALM) Octane

Intelligence, Automation, and Control for Enterprise DevOps

DevOps Journey. adoption after organizational and process changes. Some of the key aspects to be considered are:

What is Continuous Integration. And how do I get there

Evolving Team Structure in DevOps

What is ITIL 4. Contents

Introducing the Next Generation of ALM March 22, Copyright 2016 Vivit Worldwide

Bitnami Stacksmith. What is Stacksmith?

DevOps architecture overview

Operations as a Service with Rundeck

CONTINUOUS DELIVERY EBOOK SERIES: Chapter 1. Four Critical Software Delivery Challenges in the Application Economy

DevOps Institute 1. DevOps Institute

Why, What, and How of Continuous Delivery

8 th LARGEST COMMERCIAL INSURER

SESSION 109 Wednesday, April 13, 10:15am - 11:15am Track: Team Dynamics. DevOps: What's the Impact on the Support Team? Session Description

CONTINUOUS INTEGRATION & CONTINUOUS DELIVERY

JOURNEY TO AS A SERVICE

Release Manager. Product Features.

Onward and Upward. Three Ways Application Release Automation Can Give Lift to Your Continuous Delivery Journey

MIGRATION TO RED HAT JBOSS MIDDLEWARE: EASY, PREDICTABLE, PROVEN

Maintenance is Dead! A path to a New Paradigm

Making the most of your SRE Toolbox

DASA DEVOPS FUNDAMENTALS. Syllabus

7 reasons why your business should invest in container technology

Accenture Architecture Services. DevOps: Delivering at the speed of today s business

DevOps. Deploy. Code Plan. Release. Operate. Build CI. Monitor. Identify

An End-to-End Platform for Global DevOps

Five-Star End-User Experiences Require Unified Digital Experience Management

Microservices: Embracing the Unix mantra Do one thing and do it well

Using static code analysis for Agile software development

BMC point of view. The Future of Service Management

Split Primer. split.io/primer. Who is Split?

Dell IT Proven: Cloud Native Applications at Your Service

Agile Integration Is Critical To Successful Digital Transformation

Welcome. Introduction to DevOps for Non-Engineers. Chris Knotts Techtown Training and Enterprise Learning (ASPE, Inc.)

7 STEPS TO IMPROVING IT RELEVANCE. Close the Gulf Between IT and Business Users

EMBRACING DIGITAL DISRUPTION BY ADOPTING DEVOPS PRACTICES

to make DevOps a success

Inspire. Solution Overview. for solutions development

How do I simplify, accelerate and scale application testing in my Microsoft Azure development environments?

Application Performance Management

Social Networking Advisory Services

Richard Seroter Integration MVP. Moving to Cloud-Native Integration

DevOps. Changing the way you deliver software

The Fast (Developer) and the Furious (Ops Team)

David Linthicum, Managing Director, Chief Cloud Strategy Officer, Deloitte Consulting LLP

Microsoft FastTrack For Azure Service Level Description

Cloud Security at Scale via DevSecOps

Agile Transformation Key Considerations for success

IT Lightspeed Pioneer featuring ING Bank Australia. Aron Campbell Manager Cloud Infrastructure & Platforms ING Bank Australia

The big picture. Culture, Processes and Technologies on a high level

Our DevOps Approach 35%

DEVELOPING APPLICATIONS USING MICROSERVICES AND MICROSOFT AZURE SERVICE FABRIC 1

BMC - Business Service Management Platform

Embedding Performance Engineering into the CI/CD Pipeline

Why Machine Learning for Enterprise IT Operations

Changing IT Delivery with DevOps and Microservices. Andreas Lennevi

How to Choose an Enterprise Agile Platform


Transforming large scale Software portfolio with Containers and Microservices at the speed of DevOps

Microsoft moves IT infrastructure management to the cloud with Azure

Reengineering your core processes and service layer A critical digital ecosystem enabler

Customer Challenges SOLUTION BENEFITS

Introduction to DevOps

Akana, All Rights Reserved Contact Us Privacy Policy. Microservices: What, Why and How

Making Data-Driven Decisions for Better DevOps Outcomes

Understanding the Business Value of Docker Enterprise Edition

Today s businesses are complex organizations that must be agile across highly competitive global Agile Software Framework (DevOps):

SAN DIEGO Oct BREAKOUT SESSIONS

THETARAY ANOMALY DETECTION

Hybrid Container Orchestration for a UK based Insurance Solutions Software Provider Company ATTENTION. ALWAYS.

Transcription:

VERACODE EBOOK 5 FIVE PRINCIPLES FOR Securing DevOps

INTRODUCTION DevOps, a new organizational and cultural way of organizing development and IT operations work, and its sister technologies, continuous integration and continuous deployment (CI/CD), have transformed the way we create software. In fact, there are sound business reasons for executives to embrace these changes. And there is widespread evidence that DevOps practices, despite their substantial organizational, cultural and technological requirements, are spreading rapidly. A recent study shows that firms with high-performing IT organizations are twice as likely to exceed their profitability, market share and productivity goals. Forsgren, N., J. Humble (2016). DevOps: Profiles in ITSM Performance and Contributing Factors. In the Proceedings of the Western Decision Sciences Institute (WDSI) 2016, Las Vegas, NV. Available at SSRN: ssrn.com/abstract=2681906 2

Further, specific disciplines of continuous delivery, including test and deployment automation, trunk-based development, continuous integration and version control of app and system configuration, all lead directly to higher levels of IT performance and, therefore, to higher levels of organization performance. But reaping these gains requires rethinking application security. To secure DevOps, it is critical to understand how DevOps and CI/CD are different from Agile development and how this difference changes the requirements for application security solutions. It is also important to recognize that, as CI/CD in particular continue to evolve, so do the requirements for application security. THIS PAPER Provides background on the evolution of DevOps. Proposes five principles that solutions seeking to integrate application security into DevOps and CI/CD must address. 3

DevOps Evolution and Revolution DevOps seeks to enable software development teams to more consistently hit or exceed their goals for on-time delivery of high-quality software that meets the needs of the business. It does this by removing organizational barriers between Agile development teams and non-agile supporting processes. Many Agile software projects have succeeded in improving their quality practices only to face the reality of failed deployments when unanticipated operational requirements resulted in software that did not meet the needs of availability, scalability or manageability. By integrating activities and organizations like operations earlier into the development process, DevOps seeks to expose the development team to these potentially surprising or disruptive requirements early so that the team can plan for and address them ahead of time. The process of bringing other teams, in particular operations, into the development process began as a revolt against heavyweight and highly manual operations practices that were seen as slowing development down. 4

DevOps thought leader Gene Kim has stated that DevOps practices explicitly seek to align the potentially at-odds goals of make changes quickly (development) and keep everything stable (IT operations) by bringing the teams together and giving them shared responsibility for software delivery and operation. This organizational alignment supports all the other activities of DevOps. DEVELOPMENT TEAMS Make changes quickly COMMON GOAL In this way, DevOps is a natural evolution of Agile software development and its culture of retrospectives, do better and clearing blockages to getting work done. But the specific manifestations of this cultural and organizational change have been revolutionary for how software is built, beginning with how and how frequently it is delivered to market. FOR INSTANCE, DEVOPS: 1. Embraces an existing software development trend, continuous integration, and its transformation into continuous deployment. 2. Implements insights from traditional manufacturing quality control processes to the software development process. IT OPERATION TEAMS Keep everything stable 5

If DevOps includes cultural, organizational and technological components, continuous integration and continuous delivery, or CI/CD, is the technological foundation on which DevOps builds its practices. CI/CD seeks to automate much of the routine work of transforming code changes into working software, including delivering tested code into production. From its roots in build servers like Hudson, Jenkins and Microsoft Team Foundation Server, CI/CD has become a collection of technologies and practices that supports the integrated mission of releasing new code changes while keeping things stable. Technologies that allow DevOps organizations to move faster include: AUTOMATED BUILD AND VERIFICATION OF CODE CHANGES UNIT TESTS MICROSERVICES CONTAINERIZATION TRUNK-BASED DEVELOPMENT FEATURE TOGGLES OPERATIONAL MONITORING 6

Shifting Security Left Drives New Requirements for AppSec Considering the goals of CI/CD helps us identify the following five principles for securing DevOps: 1. Automate Security In Like operations, security s goals of minimizing enterprise risk sometimes seem to be at odds with development s mandate for change. In reality, there is a middle path that can allow development to deliver more secure code at DevOps speed, but it requires security to adapt to the principles that have proven successful for DevOps. 2. 3. 4. Integrate to Fail Quickly No False Alarms Build Security Champions 5. Keep Operational Visibility 7

PRINCIPLE ONE Automate Security In Automated invocation of security testing requires a comprehensive API to initiate, control and return results from software testing, and should include productized support for common tools of development teams. 1 API 8

PRINCIPLE TWO Integrate to Fail Quickly 2 Integrating security into the CI/CD pipeline ensures that security testing happens with every release, and avoids the problem of leaving application security entirely in the hands of the developer or as a step late in the process. There are several ways to address this requirement, for instance: Scan small units of code so that results can be returned within the latency tolerance of the existing process in the pipeline. Allow the pipeline to kick off tests and feed the results into the backlog of the development team outside of the pipeline, essentially conducting the full application test in parallel. Regardless of how you integrate static testing into the pipeline, full application testing is still necessary: security issues may be introduced into the code that can only be found via a full program analysis. You can conduct full application tests outside the scope of the pipeline, or only on builds that make it to a certain stage of release candidate qualification. In addition, you don t need to stop at integrating with the pipeline. The best way to catch software defects quickly is to introduce tests that run as close to the developer as possible for example, with quick-running tests triggered on check-in or even as pre-check-in gates. You can also allow developers to quickly test from the IDE. 9

PRINCIPLE THREE No False Alarms As the industry has learned, a technology that reports too many false positives will be ignored and will fail to be adopted. This is doubly true in CI/CD, where a failed security test may stop a critical business function from being delivered to production or a critical patch from being released. That may be tolerable if the security issue is real, but is completely intolerable if the finding is a false positive. 3 PRINCIPLE FOUR Build Security Champions Most developers are not trained in the practices of secure coding. But doing so gives the security team a force multiplier and reduces culture conflict by embedding application security knowledge directly in the team. 4 10

PRINCIPLE FIVE Keep Operational Visibility 5 Application security cannot stop after deployment. As with other aspects of DevOps, a well-engineered solution must support closed loop feedback from production in the event of a security incident. There are several scenarios in which operational visibility into application security is particularly important. 1 2 3 TO ENABLE THE TEAM TO DEPLOY FASTER. The business may choose to trade full application security testing for faster deployment and, therefore, rely on the ability to test after deployment and quickly update if an issue is found. TO CATCH EXCEPTIONS. There will be cases when an application gets to production without going through the automated pipeline, or when a misconfiguration results in a vulnerable application. These cases make discovery and testing of web applications in production critical. TO DETECT AND PROTECT AGAINST AN ATTACK. Operations needs visibility into potential security issues in deployed software so that they can drive a quick response. 11

Having the Conversation Questions to Ask When Integrating Security Into DevOps Many organizations are at the earliest stages of considering how to integrate security into their DevOps practices. The following questions will help you think about how to design an integrated solution for securing the CI/CD pipeline: 1 Have you rearchitected your applications for microservices, or is that work still in progress? 4 2 3 Which of your applications will pass through a CI/CD pipeline? Microservicebased? Monoliths? In what languages? What tolerance do you have for false alarms (FPs) from an application security capability that is integrated into your DevOps practices? 5 6 Are you practicing trunkbased development, or do you still practice release and feature branching? How do you plan to monitor your operational applications for security attacks? How do you plan to bring security expertise into the DevOps team? 12

CONCLUSION The process and technical requirements for integrating security with DevOps practices and CI/CD technology are challenging for any application security technology to meet. By embracing DevOps principles and looking beyond the pipeline to organizational and production capabilities, you greatly increase the chances of successfully integrating security with DevOps. DEV OPS 13

Veracode s cloud-based service and systematic approach deliver a simpler and more scalable solution for reducing global application-layer risk across web, mobile and third-party applications. Recognized as a Gartner Magic Quadrant Leader since 2010, Veracode secures hundreds of the world s largest global enterprises, including 3 of the top 4 banks in the Fortune 100 and 20+ of Forbes 100 Most Valuable Brands. LEARN MORE AT WWW.VERACODE.COM, ON THE VERACODE BLOG, AND ON TWITTER.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback