Agile doesn't (necessarily) mean fragile

To be as competitive as possible more organizations today are creating more agile development and operations teams who are collaborating more closely together than before -- and moving more applications and more application updates than ever before as a result. Some are moving many dozens of updates and infrastructure changes a day.

This has some security managers and CISOs concerned that by pushing updates out too quickly, secure development practices and quality assurance gets pushed to the side in favor of agility and speed.

[White House pushes cybersecurity framework for critical infrastructure]

According to Gene Kim, founder of IT security firm Tripwire and DevOps author and speaker says that this highly cooperative and iterative environment doesn't create the shoddy environment (security wise, that is) they fear: in fact it can enhance security. "We've witnessed this downward spiral that happens in almost every IT organization. It became typical that whenever you wanted a new release or deployment, in most enterprises, it would take days or weeks or longer to complete. It involves tons of project sign-offs and hand-offs. This includes developers, DBAs, release teams, security and compliance people, operations teams and so on. This creates delays and is itself very error prone," Kim says.

Kim and other agile IT advocates contend that this creates fragile applications in production, builds up technical debt (including things that must be fixed in the future) and causes the business to run more slowly over time. "It led to preordained failure. Where people felt, especially downstream (operations, test, security) trapped in a system where people were powerless to change the outcomes," Kim says.

What DevOps advocates is testing as code is being developed. "This way you don't have this upfront cost associated with this very long architecture phase before you start building. You are iterating. So it's an opportunity for the security team to participate in that. It produces tighter feedback loops both within the dev and the ops worlds. Security gets to play in that as well," says Bill Burns, former CISO with a major online streaming and entertainment service.

"The fact is, when done well, incorporating security into DevOps is sort of the Holy Grail for a really robust secure development lifecycle. Everyone says they want to put security upfront in the design and within the architecture phases. With DevOps that becomes much more feasible," Burns says.

An example Kim likes to share is the static code analysis application that the Twitter development team built into its Jenkins continuous integration processes. The tool, dubbed "Brakeman" runs secure code analysis of the application and its findings are fed into the homebuilt Security Automation Dashboard whenever a developer hits save on their work. After Brakeman's quick analysis, the developer would get an email if there was a negative finding, for example, that would say something along the lines of: "Hey, you may want to know that we just detected a SQL injection vulnerability. Click here to learn how to fix it."

"The instant they fixed it and hit save they would get another e-mail from brakeman saying "Hey, thank you so much. Thank you for fixing the SQL injection vulnerability. Please rate our instructions on helpfulness 1-5 stars," Kim explains.

A survey recently conducted by automated server management software provider JumpCloud found that such security automation -- including activities such as patching, user management, log analysis, and forensics -- is an integral part of the DevOps movement.

[House bill favors private-government cooperation over regulation]

That's exactly how security should be coupled to the process, explains Burns. "You build these small feedback loops that are tightly coupled between the developers and the operation roles so you log more events. When you are security and you are part of those conversations you get to make these incremental improvements and pivot with the product or the service as they're developing it," Burns says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityTripwireDevopsinfrastructure managementSecurity Leadershipupdates

More about BillTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place