Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/10/2018
10:30 AM
John B. Dickson
John B. Dickson
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

DevOps Demystified: A Primer for Security Practitioners

Key starting points for those still struggling to understand the concept.

Back when I was burning up the ISSA and ISACA speaking circuit, I passed out a quiz before each presentation. The quiz focused on application development terms that an entry-level software developer could easily answer, such as, "what's a software library?" and "what's an IDE?" As I spoke, I'd have a colleague grade the quizzes, and at the end we would announce the results. As you might imagine, my security brethren almost always failed the quiz — most would get three or four questions correct. That's 40%, or, in most classroom settings, an "F."

I'll willingly admit this was an unfair stunt because I knew what the results would be before I handed out the quiz; my point was not entirely to quiz-shame my security colleagues, most of whom did not have development backgrounds. Rather, I wanted to illustrate that without a basic understanding of software development terms, they would be hard pressed to have a meaningful discussion with their software development leadership on the topic of application security.

Today, I worry that security professionals have a similar knowledge gap and struggle to grasp the profound differences that DevOps influence is having on how we build and deploy code in key settings, such as medical device design, digital banking services, and software solutions for oil and gas exploration. I fear that this knowledge gap will cause some to miss a historic opportunity to include consistent security checks and controls in a deployment pipeline where security has been left to the 11th hour, or worse, a total afterthought.

This article is meant to demystify DevOps for security professionals, some who nobly have come to better understand application security terms, and now struggle to understand DevOps and its technology stack. Below you will find key starting points:

1. Recognize the opportunity that DevOps represents. Part of the reason that DevOps has quickly made the transition from obscurity to buzzword is that its positive effect on security has spread like wildfire across industry. Given standardized development "pipelines," the incorporation of DevOps affords the opportunity to "bake in" standard OS and server builds and run application vulnerability scanners as part of software deployment process. No longer do you have to run 11th-hour scans or worry about whether or not the last build introduced a nasty SQL injection that could put your entire web presence at risk. By getting the security team involved earlier in the application development process, the opportunity to strengthen software security becomes tangible.

2. Recognize the trade-off between speed and thoroughness in CI/CD pipelines. The upside of DevOps is building your security testing and baseline configurations into a pipeline. The downside is a smaller testing window to find vulnerabilities. You will have to negotiate with your DevOps pipeline owners to define the window of opportunity for vulnerability scanning — don't expect to be able to conduct a deep scan of the source code in a pipeline.

3. Understand the tool chain. The technology stack in the DevOps world will be foreign to you. It's likely that many, if not all, of the vendors will not be familiar to you. And more than likely you won't find them on the expo floor at RSA or BlackHat. That's OK. Work with your DevOps teams to learn where the vendors fit in the tool chain and where you can add security checks or recommend configurations. When considering release orchestration, testing, security, and application performance monitoring, odds are they will guide you to names like GitHub, Spinnaker, Chef, or Puppet.

4. Become a risk consultant to DevOps leaders. One trend that we are seeing across our enterprise client base is that security leaders are shifting to become risk advisers to the dev teams and DevOps pipeline managers. No longer does the security team wield an audit hammer or maintain the last sign-off before an application goes into production. These teams are no longer responsible for breaking the build for security purposes for arcane or hard-to-understand vulnerabilities. Today, development and DevOps pipeline managers want to release code in a secure fashion and need the security team's advice on what's risky and what isn't.

The door is wide open for security leaders to get on board with DevOps, which, along with the cloud, and even microservices, represents a major shift in how infrastructure and code are deployed. The savvy and sophisticated security leader will take advantage of this shift and capitalize by building security activities into the production pipeline. Leaders will also understand what security limitations DevOps presents and adjust accordingly.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.