5 DevOps trends that will improve application security in 2017
Combining security and DevOps needn't be like trying to mix oil and water. Agile and continuous software development doesn't have to increase the risk of creating insecure software.
Making sure secure code is produced by DevOps doesn't have to slow down development. Here five key trends that will gain traction in 2017, helping development and security teams forge a more harmonious relationship.
DevOps moves security closer to the beginning of the software lifecycle
The speed at which applications must be brought to market, coupled with the need for more secure code, has started organizations on the path toward tighter integration of security into the development process. That trend will continue in the coming year.
"What we're seeing with DevOps and continuous integration and agile is an opportunity to insert security earlier in the process," says Tsvi Korren, senior director for technical services at container security platform vendor Aqua.
"Security folks haven't adopted that idea completely yet, but that realization is taking place." —Tsvi Korren
That change in mindset began to accelerate in the latter half of 2016. "We have security people approaching us, and asking how can they be inserted earlier and earlier into the DevOps process," Korren says.
More and more organizations are realizing that first contact with security at Q&A time is too late. "They're realizing that if they move security testing to earlier in the development cycle, they have a much higher rate of success and much higher throughput," says Sebastian Taphanel, a solutions architect with the cloud security firm Evident.io.
The efficiency happens because developers don't have to wait for security to do its thing. Tapahnel said that when he worked in the intelligence community, his developers begged their security managers to give them access to the same penetration testing tools that the security people used. Reluctantly, they gave in.
"Once they gave us access to their scanning tools, we removed weeks and months off our delivery times because we weren't waiting for the pen testers to give us their first look." —Sebastian Taphanel
Moving security deeper into the development cycle will continue in 2017. In response, the processes and tools security uses will need to adapt. But how fast adaptation will occur remains to be seen. In some organizations using DevOps, for instance, this has contributed to loose security practices, says John Pescatore, Director at the SANS Institute.
"We're seeing a conflict between the demand of DevOps for speed and security. Some organizations are saying, 'If security slows us down, then we can't focus as much on security.'" —John Pescatore
More mature DevOps shops that focus on doing the right things faster and eliminating the wrong things that slow down development have been able to wed security with speed, however. There's just one problem: "Those organizations are only about 10 to 15 percent of those using DevOps," he says.
Organizations get serious about container security
The use of containers has become popular in DevOps circles because these add flexibility and agility to application development, as well as testing, staging and fixing bugs. Using a container, a developer can put the application in a box that can be moved around and scaled up and down without the configuration restraints and performance challenges of a virtual machine or physical computer.
Last year, though, it became apparent that security was going to be an issue with the technology. In July, a security researcher was able to access the source code for the entertainment network Vine because basic security practices were ignored, resulting in a misconfiguration of the Docker container software. In late 2016, when the "Dirty COW" vulnerability was uncovered in Linux, investigators discovered that the flaw could also be exploited inside a container.
Kevin Bocek, vice president for security strategy and threat intelligence at Venafi, says it's still early days for container security.
"Do security teams understand containers? Not yet. This is part of a trend and it's going to take a number of years for security teams to catch up." —Kevin Bocek
Meanwhile, the container security arena is becoming a hotbed for startups that are joining the ranks of existing players including Aporeto, Aqua and Twistlock.
Old-line security firms will be getting in on the act, too. "Security vendors are going to start building their products with functionality for DevOps and containers in the coming year," Bocek says.
Security tools will become more developer-friendly
If developers are going to assume a front-line role in securing applications, they'll need to work with security tools. That can be a problem, because those tools were created for security pros, not developers.
As a result, the information these tools produce often can't be understood by developers, Korren says.
"You need to give developers data that is relevant to what they do. You can't tell them there are seven high-level vulnerabilities in that piece of software you just produced because that's meaningless to them." —Tsvi Korren
Developers need practical information, he says. They need flaws explained—critical vulnerabilities have been found in this component of your code—and recommendations for fixing them. For example, is there an upgrade to the latest version of the component to addresses the vulnerabilities?
In addition to being practical, information conveyed needs to be cleansed of false positives, a major conflict point between developers and security teams. "If you give developers a report that says there are several vulnerabilities in a piece of software, but a few of them are false positives, you're going to waste everybody's time trying to mitigate something that doesn't need mitigation."
A new breed of tools is starting to appear that can improve the speed of DevOps teams, while making what they produce more secure. "The idea of making security systems frictionless for DevOps is a trend we're seeing," Bocek says.
"DevOps teams will start using something that they find really easy, and not know that what they're doing is more secure." —Kevin Bocek
Training will get DevOps and security teams on the same page
Friction is inevitable between teams with conflicting goals. DevOps teams want to deliver the best quality software as fast as possible, while security teams want to ensure that software is delivered without vulnerabilities, no matter how long it takes. Training that gives developers the knowledge to avoid security mistakes while giving security people a better idea of what developers do can reduce that friction.
The old paradigm of delegating all security chores to security people has been shattered by DevOps. "Developers have no choice now but to be completely aware of security issues and be part of the security process," says Frank Zinghini, CEO of AppliedVisions.
"You can't wait until an application is near completion to do security in a DevOps environment. Developers have to build security into their process from the beginning." —Frank Zinghini
To get developers to do that, however, you'll need a greater understanding between the development and security camps. "You don't want to beat developers up if their code is not secure," Pescatore says. "You need to show them what kinds of things to avoid and how threat actors work."
"Then you have to have the security teams understand what DevOps means, and how a company is implementing it so the security team can support the development team as it moves more quickly," he says.
The future of DevOps lies in the ability of security and development teams to communicate with empathy. "Products that can meet both DevOps and SecOps needs are highly successful," says Tapahnel.
Automation ramps up in DevOps to secure applications
Automating security tasks has already begun to take hold in DevOps, but automation activity will move up a notch in the coming months as DevOps deployments grow in scale. "This year and the beginning of next year, we're going to have some large deployments of software using the DevOps process," Korren says. "Doing security in that kind of environment and on that scale requires a lot of automation."
Using traditional methods, a security team might have a week to test the latest code from its development team. With DevOps, that time might be reduced to one day—or less. "The security team needs to change its methodology to keep pace with that, which usually means using more automation," Pescatore explains.
Korren argues that automation is key to software security. "Developers and operations people know they're going to have to have rigid security controls over the things they deploy in the cloud," he says. "What they don't want to do is delay the rollout process by stopping it to figure out the security parameters for a piece of software, so they're going to be looking for software that can assess security on the fly."
"You're going to have to have software deciding what are the right security parameters for another piece of software." —Tsvi Korren
As these trends take hold, both security and development teams will begin to see another promise of DevOps: applications written with code that's more secure. With 111 billion lines of code expected to be delivered in 2017, the timing is right.