Security at the speed of DevOps
While there are some common misconceptions prevalent in the information security field when it comes to DevOps, Ed Bellis, former CISO of Orbitz, urges security professionals to seize the new opportunities DevOps presents. Currently CTO of Kenna, Bellis is taking the stage at the upcoming DevOps Enterprise Summit (see below for a discount code especially for Enterprisers Project readers) to discuss the security best practices and challenges to be aware of within heavily automated DevOps environments. We recently caught up with Bellis to learn more.
The Enterprisers Project (TEP): How can IT leaders in large enterprises leverage a DevOps model to address some of their key security issues today?
Bellis: Baby steps. Follow the organization, and inject security in where you can. Are you already performing static analysis on your source code? Why not hook that into your DevOps model via your build-and-deploy process? Take a look at free and open source tools that help inject security testing into your deployment process, like Gauntlt. Even injecting the smallest and simplest of tests can be early wins for an enterprise.
Most importantly, understand for an enterprise that the cultural shift is greater than the tools.
TEP: What can organizations do to mitigate risks in a DevOps environment?
Bellis: Look at the checks that are being performed today in your enterprise. Keep an eye on opportunities for automation, but be mindful that new systems require additional thinking. A common use case touted as a benefit in DevOps is Continuous Integration (CI) and Deployment. CI can benefit security as much as it does development and operations, but this also means building in new hooks to account for security testing. This will speed up and ensure consistent security testing is employed, but it also means new attack surfaces. Just as security teams should be thinking about the security of their products, don’t forget to apply the same requirements to your DevOps tools, like CI servers, etc.
TEP: How do you see DevOps impacting the future of information security?
Bellis: DevOps is a great opportunity to inject security into all of the areas we as security pros have complained about in the past. DevOps processes allow security teams to scale where it was never possible before and ensure security checks are passed and consistent. When many organizations have a 100:10:1 ratio when it comes to Developers:Operations:Security, this is a big win.
Security testing can now be part of a CI environment and be run with each check-in of new code. The days of referring to stale documents on a shared drive as evidence for compliance or security will be as laughable as it sounds. Configuration cookbooks can now be used as both evidence and policy for compliance.
Perhaps one of the single greatest benefits of DevOps to security is the very attribute that security teams fear: it’s speed. DevOps, like anything else, is no guarantee of security; however, the rate at which issues can be detected, responded to, and remediated will be 30 times greater or more. The days of quarterly release cycles and “emergency deploys” that take a week are over. When my organization is deploying tens or even hundreds of times per day, I can react and fix issues faster and have much smaller windows of exposure. While changes are faster, they are also smaller, making it much easier to pinpoint root causes. This may be the single greatest benefit to security.
TEP: What are some of the biggest misconceptions related to security and DevOps?
Bellis: Probably the two most common arguments I hear against DevOps when it comes to security is speed and separation of duties. For the record, I think both of these arguments are bunk. Hear me out.
One of the most prevalent arguments against DevOps in the security community is the speed at which it operates. The theory that moving that quickly means sacrificing testing, specifically security testing and the common gates we see in a waterfall process. How can you perform the appropriate threat modeling, code reviews, dynamic and black box tests prior to deploying to production? How do we know all of the code being deployed has been documented and approved by management? There seems to be a misconception that moving fast means skipping controls, when in reality, DevOps environments often automate these controls that used to be highly manual and prone to mistakes and inconsistency.
Separation of duties in the traditional “compliance” definition of this view are wrong. Operations does not exist to ensure there are no evil-doers in development. DevOps promotes integration and working as a team, including peer reviews and multiple “sets of eyes” on code changes and deployments. Pull requests are the new separation of duties.
Ed Bellis will share more of his thoughts on why security and DevOps go hand-in-hand at the DevOps Enterprise Summit, which takes place Oct. 19-21 in San Francisco, CA. Friends of The Enterprisers Project can use promo code “ENTERPRISER20” for a 20 percent discount on registration.
Ed Bellis is the CTO of Kenna, a vulnerability intelligence Software as a Service that centralizes, correlates and automates the entire stack of security vulnerabilities and remediation workflow. Ed has over 20 years of security experience. Prior to Kenna, Ed served as the Chief Information Security Officer for Orbitz, the well known online travel agency where he built and led the information security program and personnel for over 6 years. Additionally Ed has work in Security and Technology at organizations including Bank of America, CSC and Ford Motor Company.