The evolution of DevOps: the perfect storm for instituting secure coding practices

The nature of DevOps development approaches eases, invites, cries out for secure coding practices.

Happy Appetite!

Software is eating the world, or so say DevOps leaders such as Marc Andreessen, general partner at Andreessen Horowitz as most companies are becoming software companies as well as purveyors of their primary goods and services in order to be more competitive.

Experts agree that DevOps is eating software, too. “I believe that in five to 10 years DevOps practices will be mainstream. People will view DevOps as the correct way to do software development,” says Tom Stiehm, CTO of Coveros. In that respect, says Stiehm, DevOps is eating software development.

Secure coding practices should likewise envelope DevOps, sealing many of the holes that criminal hackers would otherwise exploit. As DevOps accelerates software development, foot-draggers will have a hard time holding that secure coding practices slow software delivery. If developers use DevOps’ many ingress points to fix security vulnerabilities like they do to fix code, secure coding could swallow DevOps whole and become the norm across software development.

[ MORE DEVOPS: CSO Survival Guide: Securing DevOps ]

“DevOps shifts the focus of development to producing the best possible outcome for the customers. The new focus includes a shared understanding that security is essential to establishing and maintaining customer trust,” says Otto Berkes, CTO, CA Technologies and the first architect of Xbox at Microsoft.

Gartner includes “Security Testing for DevOps” in its 2016 Top 10 Technologies for Information Security. CSO looks at the issues and why DevOps will increase secure coding practices.

DevOps, the perfect environment for secure coding

DevOps is a good opportunity to make secure coding the norm across software development if secure coding envelopes DevOps as DevOps envelopes software. “Improved security is a core benefit of DevOps methodologies and is one of the reasons that DevOps is such a powerful movement. Customers expect to have a great software experience, and that has to include security as a basic ingredient,” says Berkes.

For many enterprises, DevOps automation techniques have hastened software development to a pace that has itself arrived (become possible) well ahead of schedule. It takes the video entertainment broadcasting behemoth Netflix, which the literature on DevOps regularly touts as a prime example a mere 16 minutes to translate Janitor Monkey, its cloud resiliency and maintenance service from code check-in to a full, multi-region (global) deployment, according to a recent company blog post. “Netflix is the poster child for DevOps speed and agility, having pioneered the development approach for many industries,” says Mike Kail, Co-Founder of Cybric and former CIO at Yahoo.

High-performing IT organizations—the ones that use DevOps development practices and methodologies—deploy software 200 times more frequently than low performers, according to the 2016 State of DevOps Report. The sheer volume of software development that DevOps makes possible makes it uncannily intuitive to add secure coding practices without slowing deployments. “The move to CI/CD as part of the agile development process leverages automation in what used to be a manual process, which adds incredible speed. Integrating security tools into that pipeline is now much easier than coordinating across multiple manual steps, involving multiple engineers,” says Kail.

With the extreme drought of cyber security engineers, which the industry expects to continue if not broaden, the automation that is native to DevOps is critical to increasing and enforcing secure coding practices, if the industry is going to do it at all, says Kail.

DevOps overturns objections to secure coding

Objections to instituting secure coding practices have included disagreement over the need for it and how to apply it as well as added costs, slowing development, and postponing release dates.

When enterprises start to implement DevOps, they acquire a more holistic view of what goes into software delivery; they can then ask where the risks exist and how to mitigate those during development rather than later on, says Josh Atwell, co-author, DevOps for VMware Administrators.

As DevOps grows in popularity, overshadowing other development methodologies due to its competitive and cost-saving advantages, the security industry should take opportunity, preparing to immediately inform and propel best practices in secure coding into the DevOps pipeline. “DevOps, and the implementation of a functional framework, can permit security professionals to provide specific security functions to apply in the code and during testing,” says Atwell.

[ MORE ON CSO: Does DevOps hurt or help security? ]

DevOps ultimately creates savings and speeds development through efficiencies and automation, multiplies the number of releases possible in the same time frame, and creates new revenues through competitive advantage.

“Make It So, Number One”

Tom Stiehm, CTO, Coveros, suggests methods for driving secure coding practices deep into the heart of DevOps, including:

  • Add as many security settings, as much scanning and analysis to software build pipelines as possible, whether by simply adding a few open source tools to the pipeline or by taking more complex steps.
  • Make data collection and automated testing as easy as possible for the team to use while ensuring that leveraging the test results is equally within reach.
  • Work with the open source tools that do scanning and analysis to improve associated rules and capabilities.
  • Champion those security tools in the build pipeline and help software delivery teams understand the value of improved security.

“By employing secure coding processes throughout the application delivery lifecycle, shifting automated testing to earlier in the development process, and increasing opportunities to find and fix security issues, everyone benefits,” says Berkes.

Prose on probabilities

Whether the industry will leverage DevOps to inject secure coding remains a mystery with only time completing the tale. “Improved implementation of secure coding and security practices into the software development lifecycle certainly has the potential for easier adoption in a DevOps ecosystem,” says Atwell. Still, as with any new disruptive technological change, some enterprises will experience costly lessons at the outset, and many will have to find their own path to DevOps tranquility due to specialized industry vertical business requirements and market opportunities that are unique to each organization.

Join the CSO newsletter!

Error: Please check your email address.

More about CA TechnologiesCSOCustomersGartnerMicrosoftNetflixXboxYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts