International DevOps Certification Academy™
How Do You Ensure Your DevOps Information Security?
In most organizations, information security concerns are one of the most frequent objections against DevOps adoption. And yet, DevOps methodology is one of the best techniques to deliver world’s most secure systems.
In many organizations, perhaps in your organization too, the ratio of information security specialists over entire software engineering team is 1/100. In other words, in a software engineering team with 100 people you usually find only one single information security specialist. This results in long lead times to get any software security related problems resolved, delays of software deliveries and even worse sub-optimal level of information security for your clients.
If you have learnt one single thing from your software delivery experience, this must be that showstoppers at the end of projects are bad, but showstoppers related to security issues are even worse. Therefore, every single member of your DevOps team should embrace information security part of daily engineering work, rather a checkbox ticked (or unticked) in the end of your projects.
Involve Information Security Specialists In Early Stages Of Software Engineering Process
In order to ensure an information security issue does not become a showstopper and bottleneck just before your software deployment, involve information security specialists in early stages of your software engineering process. You invite them to demonstrations, early planning and review sessions, so they get a feeling about business your software is associated with. In this way they can better judge potential information security risks and issues, so they support your DevOps team to define information security and compliance goals that must be handled during the course of your software engineering process.
Information Security Is Part Of Daily Work
You and your DevOps team need to track security features as well as security incidents with your standard task planning and incident management tools instead of dumping them to compliance management tools which your DevOps team doesn’t pay much attention to. Whenever there is an information security related issue in your software architecture, design or running systems, educate your DevOps team about these issues. Make them comprehend root causes of these problems and how they should think and approach similar situations in the future in order not to recreate the same issue.
In terms of information security, tactical approach of your DevOps team is:
- To prevent security mistakes from being repeated.
- To integrate security objectives into project goals, planning and tracking tools.
- To make security tests part of automated tests in your deployment pipeline.
- To define reusable self-service tools and software libraries which combine information security best practices of your organization, after making comprehensive information security analysis from all angles of certain product and service features.
- To educate and trust DevOps Developers and DevOps Operations Engineers whose core competences are not necessarily information security.
Build Secure Libraries, Procedures, Blueprints, Architectures and Designs for Your Software
By building such reusable assets, your DevOps team should standardize information security aspects of your software in various critical dimensions such as:
- Communication and data transfer between clients and software.
- Data storage.
- Secure environments.
- Operating systems, databases and configurations of 3rd party tools, components and other interfaces to avoid vulnerabilities.
- Password storage.
- Handling of forgotten passwords.
- Handling the logging of sensitive client information.
- Avoiding cross-site scripting (XSS).
- SQL Injections.
- Other information security vulnerabilities specific to your business and legislation ecosystem your business operates in.
Recommended Techniques for Information Security With DevOps Methodology
- Static Analysis: Code analysis to identify backdoors and security vulnerabilities.
- Dynamic Analysis: Backdoor and vulnerability analysis while the system is running. Continuous monitoring and analysis of CPU, RAM, Network I/O and Disk I/O operations in non-production as well as in production environments.
- Dependency Analysis: Static and dynamic analysis for external tools and dependencies which contain source code you cannot control. When your organization uses a third party tools, libraries or services, you also inherit their information security issues. Don’t forget to review open security incidents of third party components and vendor’s track record of how quickly they rectify such issues.
- Security For Source Code Access: Your DevOps team should use a Public Key Infrastructure where everyone should possess one public and one private key. In this way, all check-ins/check-outs and reads from your code repository are authorized, monitored, and all changes are signed by their respective performers.
- Integrate Security Monitoring (Telemetry) in Your Environments: To check system usage details to identify security breaches. These breaches are usually indicated by excessive number of some critical user-generated events such as failed log-in attempts, number of password recovery requests and purchase transactions from same user with various different credit cards and so on.
CONCLUSION
In this chapter you have been provided some recommendations about DevOps’ way of information security. Information security by itself is an art and science, so the approach articulated in this chapter doesn’t meant to make you an information security expert, but to explain you how DevOps software development and delivery methodology approaches information security.
It is evident that DevOps empowers and very well integrates information security and compliance goals of your organization to the daily work of your DevOps engineers by making information security everyone’s job in your organization. World’s most dynamic companies have already proven that this is a safe way to securely serve your clients.
DEVOPS-CERTIFICATION.ORG
