Secure DevOps lengthens IT ops to-do list

Source – techtarget.com

Secure DevOps is a recent trend that has primarily involved collaboration between application developers and security experts so far — the IT ops role in the new collaboration between app developers and security pros hasn’t been fleshed out yet. But as developers and security professionals “shift security left” in the app delivery process, IT ops will need to respond accordingly, and preferably proactively.

IT pros must collaborate with the security team as well as application developers. Following high-profile security breaches, such as the one that targeted credit bureau Equifax earlier this year and potentially exposed the sensitive financial data of 143 million Americans to hackers, businesses will increase pressure on all of IT to keep their companies out of the headlines.

“Every part of the organization should be thinking about security right now,” said Stephen Sadowski, director and senior architect of core engineering for ICF Olson, a digital services subsidiary of US government contractor ICF, based in Fairfax, VA. “The task for ops is to see security as a problem they need to help solve.”

Secure DevOps and the need for speed

IT security has a reputation as an out-of-touch organization in an ivory tower that occasionally issues policy edicts that developers and ops must apply to the IT environment, Sadowski said. Developers and security have begun to change that relationship, and ops should follow suit.

To do this, ops may need to gain a seat at the table where developers and security pros have already begun a conversation.

Ops must incorporate application security into their thought process and they won’t necessarily receive a formal invitation to do so, said Jack Fraker, an application security specialist for an insurance company on the East Coast he declined to identify. He took the initiative to work with his company’s developers — there was no mandate from upper management to do so.

“Your resume has to read differently now,” Fraker said. “You can’t be a specialist in just one thing.”

At ICF Olson, IT ops takes new approaches to infrastructure management to heighten its collaboration with security as well as development, Sadowski said. The team uses Terraform and Chef infrastructure as code tools that can be tested and reviewed alongside application code, as well as Chef InSpec to check whether server configurations match security policies within the organization.

“We’re continuing to increase the conversation between security and the other parts of the organization,” Sadowski said, and it’s increasingly a two-way conversation in which security offers more guidance on how to implement policies.

Secure DevOps means new infrastructure monitoring tools, tactics

Organizational changes are challenging enough, but IT ops pros must also adapt day-to-day tactics with infrastructure design and monitoring to keep up with secure DevOps long-term.

There’s at least one silver lining here for IT ops. This requirement might not mean there will be all-new tools to learn from scratch. Rather, there are new approaches to infrastructure security and monitoring that use the tools already familiar to IT ops pros.

At Fraker’s company, security operations applies existing IT monitoring tools to detect security risks in IT architecture design and configuration, as it also monitors for malicious behavior on the network. He hopes that network operations and sysadmins will add their expertise about IT infrastructure best practices to that soon.

“Security operations has upgraded some of its monitoring tools a bit, but they already had a good toolset,” Fraker said. “It’s more about how they’ve changed their procedures around using it.”

There’s still room for improvement with infrastructure monitoring tools for risk management purposes, said Kevin Greene, a program manager in the cyber security division of the US Department of Homeland Security, following his keynote speech at the DevSecCon event here this week.

The Department of Homeland Security has spearheaded the Static Tool Analysis Modernization Project (STAMP) to provide a framework that analyzes security tools’ strengths and weaknesses and forms a plan to modernize them.

There are many vendors in IT security monitoring today, but Greene hasn’t seen the advanced capabilities needed to deal with emerging threats, he said. That includes threat modeling that anticipates potential attacks on infrastructure vulnerabilities, to supplement static analysis tools and make IT security more proactive. To that end, Homeland Security also established the Application Security Threat Attack Modeling (ASTAM) program, which has tapped vendor Secure Decisions to lead development of an open-source tool to strengthen IT defenses against web app attacks.

Meanwhile, IT ops people must align monitoring solutions to DevOps, which is changing infrastructure faster and faster, Greene said. “Ops needs a grasp on those changes so they know what to monitor,” he said.