Diving into DevOps

DevOps Security: Turn Security into Code

A presenter at the upcoming RSA security conference explains how security must be continuous and automated to be successful in DevOps.

• By John K. Waters
• January 30, 2017

The San Francisco edition of the annual RSA security conference is just around the corner (Feb. 13-17), and e-mails from participating vendors have been coming in at a furious pace. The so-called ransomware explosion is a sizzling topic this year; the conference includes a one-day Ransomware Summit. But DevOps security is also hot, and the RSA schedule includes a day-long seminar dubbed "DevOps Connect: DevSecOps Edition."

The list of security experts scheduled to present during that day-long DevOps Summit includes Jeff Williams, CTO and co-founder of Contrast Security and a founding member of the Open Web Application Security Project (OWASP). Thanks to the persistence of his company's PR team, his RSA message made it to the top of my inbox, and I'm glad it did. In it Williams offers some observations about DevOpsSec that are worth sharing.

Among other things, the transition to DevOps disrupts traditional app security practices, Williams pointed out, which typically involve specifying the requirements up front and then testing just before deployment.

"With DevOps, this process simply won't work," Williams said. "The feedback is too slow, too late, and too inaccurate, and it slows down development."

In organizations implementing DevOps practices, security should work differently, he said. Because code is released continuously, security must also work continuously. Developers need instant, accurate feedback on their code, and security should be confirmed before every release. The only way to make this happen, Williams said, is to "turn security into code," by fully automating the testing process.

"When the security tests are fully automated, DevOps projects can build and deploy software with confidence even without involvement from security experts," he said.

On the operational side, DevOps projects need to be able to monitor their applications for security, report exactly who is attacking and which techniques they're using, and block them when necessary, he said.

"The old process involved network choke points (Web application firewalls) and required serially scanning the entire application portfolio every time a new attack or vulnerability came out," Williams said. "DevOps projects require security that keeps up with rapidly changing network configurations and architectures. Security has to be able to respond immediately when new vulnerabilities are discovered and new attack techniques are revealed."

Because DevOps projects require organizations to manage security across both development and operations, the demands for full visibility into an organization's application inventories is especially high, Williams said. "[Companies have to] know exactly what versions of software, libraries, frameworks, and components are running everywhere in their environments. They need to turn security into code, so they can continuously assess their code and deliver it without vulnerabilities efficiently."

Call it "DevSecOps" or "DevOpsSec," the processes and practices around securing the transition to DevOps and ultimately the DevOps pipeline have become a top-of-mind issue among a growing number of organizations. RSA looks like it's going to be a gold mine for those interested in this topic this year. BTW: Williams' February 2014 presentation, "Application Security at DevOps Speed and Portfolio Scale," is available on YouTube, and worth checking out.