Security and DevOps

Originally Posted October, 8, 2012

I am a big fan of the potential of DevOps, which is something I don't hear a lot of other security people saying. Unfortunately, some DevOps adopters have used DevOps as an excuse to bypass necessary processes including, but not limited to, security. However, that isn't the case in the majority of the organizations I've talked to, and looking forward I see even greater potential.

I was recently having a conversation with Gene Kim (@realgenekim) about this, and how security requires cultural change, not just technical change. And lets be clear, cultural change is possible. Development has gone through a number of significant cultural changes as software has become more foundational to everything we do. (e.g., Agile, DevOps, IDEs)

He wrote up an excellent IT Revolution blog post on the conversation.

I wanted to add a few more thoughts, as I see three significant challenges to security and software development:

1. Making security a priority. Lets be clear, developers and operations people today are managed to get releases out the door as fast as possible that are stable enough to meet customer requirements.Security isn't in that sentence in most organizations, and until it is this will continue to be a challenge. Requirements come from product management and executives (not developers or security), so the change will have to come from there too.
2. Ability articulate security requirements. Security requirements are hard. Our attack surface is approaching infinity. Adversaries continually innovate to increase their ROI. Technical debt is trending in a direction no one prefers. However, that doesn't mean we shouldn't try. The code review list mentioned IT Revolution blog post which I developed in the late 90s was a good attempt. It was far from perfect, but it articulated requirements that developers could understand, support and implement.
3. Developers understanding security. Lets be clear - most developers and operations people don't understand security. This needs to change. Most organizations have annual mandatory employee information security training, but no secure software training for developers. (And a one hour video with a checklist test isn't the answer.) I'm a big fan of initiatives like Rugged Software that set first principle-like ideas to help developers think about secure development. We've got a long way to go.

I see Gauntlet, an open source security testing tool designed to be operated within the continuous testing and deployment pipeline, as a potentially significant step forward for issues #2 and #3 above. However, lets be clear - until product management and executives make deploying Gauntlet (or a Security Monkey, or another method) required, secure DevOps won't be a widespread phenomenon.