The intersection of DevOps and application security

Source – csoonline.com

I’m sure you’ve seen the DevOps concept in development today. It focuses on bringing stability and reliability to corporate infrastructures and clouds. For example, many corporations have firewalls that protect the corporate infrastructure. DevOps would have any change to the firewall policy be versioned within a source code control system. This versioning is great because it enables a rollback to a stable version of the policy when a change goes awry. That improves reliability.

Imagine DevOps being deployed on all important systems in the data center and you’ll see how DevOps revolutionizes reliability and integrity. There is no guessing in what once worked. A run book can keep instructions on how to retrieve earlier versions of device policies via the use of DevOps scripts.

DevOps includes source code control of the software applications that execute in the data center. There is a need of snapshots of all the applications’ source code and infrastructure policies that need to be coordinated together. It is not enough to just have a stable application. For example an application may need to have firewall policies changed so that an application can talk to other applications within the data center or web. So in this case the firewall policy changes and the software code changes need to be tracked together. The software is dependent on the firewall changes to work correctly. This also means that they can be rolled back together if necessary.

There is also a need for what I call ‘live/dead’ analysis. Some even seemingly small changes need to be simulated so that one can determine the future state of the entire data center or cloud. This simulation protects against human error and errors in configuration. The cost for errors is becoming higher and higher as time goes on.  Live/dead analysis is what Distributed Management Systems (manages city sized electrical power grids) do when they activate certain segments of the grid. An error in activating the wrong part of the grid can bring down more of the network because the electricity flow is looped inappropriately; that is why simulation is so important.

Versioning well also makes continuous integration possible. Developers can quickly develop new code and test it quickly in different development environments such as development, test, stage, and production. Developers iterate and test software quickly which hopefully leads to quicker application completion. Agile development speeds up design, creation, and deployment of software.

Besides reliability there are other DevOps software tools related to secure software.  There are software development tools that analyze software source code to determine if there are security weaknesses in the software. The compiler like tool has recommendations for changes and its library of potential findings is updated periodically. The tool should be used for every update of the software to find vulnerabilities.

Another tool is a web crawling application that interrogates web-based applications to determine if they have any OWASP (Open Web Application Security Project) vulnerabilities. It also gives suggestions on how the software should be changed to protect against those vulnerabilities. This tool should be used before every planned release of the web based application code so that weaknesses can be addressed before the application goes into production.

The use of these two types of security tools will improve and address many of the potential vulnerabilities associated with new web-based applications. They need to be used within the DevOps domains.

In summary, DevOps practices improve reliability of software running in the cloud and in the data center. It does this by versioning the software and infrastructure equipment policies. It enables rollback of application software versions along with the infrastructure that serves those applications at that moment in time. This returns the application and infrastructure to a known stable state. Also security tools assessing the security of application software and web-based URLs should be deployed in the DevOps process. Changes can be completed during the next release of the software along with any needed infrastructure changes.

Leave a Reply