You are here

You are here

A detailed analysis of ISACA's 10 key DevOps controls

Tony Bradley Editor-in-Chief,

The DevOps revolution is transforming the methods and pace of software development. ISACA, an independent, nonprofit organization dedicated to developing and implementing industry-leading security practices, recently created new guidelines for DevOps controls: "DevOps Practitioner Considerations."

Business value bolstered

The ISACA guidelines recognize the business value of DevOps but stress that there are assurance, governance, and security factors that need to be considered. "This guidance outlines these considerations: the risk of DevOps (in adoption and non-adoption), controls that can help mitigate key risk areas, and specific actions that practitioners can take to ensure that the benefits of DevOps are realized while potential risk is mitigated."

First, let's break down each of the 10 key controls outlined in the ISACA document:

1. Automated software scanning

In order to keep up with the more rapid release cycle of a DevOps environment, ISACA recommends an automated scan to find security configuration issues in code. The ISACA document directs auditors to observe that some sort of application code scanning tool is in place and to examine log files or other evidence to prove scans are taking place.

2. Automated vulnerability scanning

In addition to code scanning, automated vulnerability scanning is also recommended. The document recognizes how DevOps platforms such as Chef or Puppet automate configuration management and may introduce changes and vulnerabilities dynamically in the environment. The idea is to trigger some sort of automated vulnerability scan as a part of the release process.

3. Web application firewall

Either of the automated scans may discover issues that need to be mitigated but aren't severe enough to warrant an urgent response. A firewall or some equivalent security filter between the application server and the outside world can provide adequate temporary protection while underlying issues are addressed.

4. Developer application security training

Training developers on secure coding techniques and how to avoid common vulnerabilities and security configuration issues is an important and valuable security control—albeit one that isn't unique to DevOps. ISACA auditors are asked to assess developer security training and review evidence that developers have attended or participated in appropriate training.

5. Software dependency management

When you put DevOps, containers, open-source tools, and faster app deployment together, one of the potential pitfalls is software dependency. Apps are built on APIs, open-source libraries, and other middleware—each of which is a "moving part" that can ostensibly introduce vulnerabilities at some point. ISACA recommends that organizations employ some sort of tool or process to track and manage supporting libraries and application components to remain aware of changes as they're introduced.

6. Access and activity logging

Identity and access management isn't unique to DevOps, but the principle of privilege still applies. ISACA recognizes that separation of duties and access management can be automated under DevOps. They require, however, that there be some sort of developer activity log, so there's a paper trail of what changes were made, on what date or time, and by which developer(s).

7. Documented policies and procedures

Establishing clearly defined policies and procedures is a standard best practice that predates DevOps. DevOps environments are more dynamic and fluid by nature, though, which both makes defining policies and procedures more difficult and more important at the same time. ISACA directs auditors to review policies to ensure that they cover all aspects of the production release process.

8. Application performance management

Application performance management (APM) is a valuable tool for developers to proactively manage and resolve any issues that arise. Apps that don't work or don't perform as expected impact productivity. ISACA recommends that organizations implement some sort of APM solution and collect the appropriate metrics to address problems when they occur.

9. Asset management and inventory

It's important for any organization to maintain a current and accurate asset inventory, including the asset owner, business purpose, physical or virtual location, and other relevant details. DevOps accelerates the pace of development and app deployment, making it more challenging to stay on top of this. The ISACA control calls for an automated tool or manual process to maintain a record of assets and applications.

10. Continuous auditing and/or monitoring

"Continuous everything" is a cornerstone of DevOps. If development, testing, deployment, and other aspects of the software lifecycle are automated and continuous, then the auditing and monitoring of the environment should be continuous as well. ISACA directs organizations to establish a process and supporting tools to continuously validate proper operation of the required controls.

Experts weigh in

The ISACA document has been well-received so far. Industry experts, however, are quick to note that many of the guidelines spelled out are not specific or unique to DevOps.

"The 10 recommendations from ISACA are a good start. Yet, none of these are specific to DevOps. In fact, every organization should already have these tools and processes implemented regardless of DevOps or not," says Andrew Storms, VP of security services at New Context.

Colin Campbell, director of patterns and practices at Chef, agrees. "The ISACA list consists of security practices that apply to every environment. On their own, it is hard to argue that these are in any way DevOps-specific, as the list doesn't address the central idea behind DevOps, namely an integrated workflow from development to production."

Build secure apps

One of the prevailing issues with network and application security is the fact that it's so often something that is implemented and enforced after the fact. Security professionals have lamented for years—decades even—that security would be better, easier, and cheaper if it were done right from the beginning.

"DevOps focuses on both people and tools. On the people side, you don't rely on documentation and after-the-fact processes. Security is embedded in the pipeline, and security experts work directly with the developers to ensure that security and compliance concerns are part of the product and not something that's enforced after the fact," stresses Campbell.

"The primary way to achieve this is through automation, including automated testing and compliance checking. Instead of multipage documents that people may or may not read, the requirements for compliance and security are embodied in the automated tests themselves," he says.

Where should you start?

As with any framework of guidelines and recommendations, few organizations will be in a position to implement them all at once. You have to review the 10 key controls, determine which are most important and which will require the most effort, and then prioritize them in a way that makes sense for your organization.

Brandon Philips, CTO of CoreOS, says, "It depends on the organization but I think it begins with people. So, creating a culture of best practices with developer security training and documenting procedures is a great place to start. Then you can move on to ensuring you understand your system with monitoring and logging."

It's a cultural thing...

Most DevOps professionals will agree that DevOps is much more about people and culture than it is about tools and technologies—and that may be an issue with how effective the ISACA DevOps controls can be.

Storms expressed some concern about the overall approach. "Despite ISACA's paper accepting DevOps and providing recommendations, much of the paper had an undertone of fear. The paper read as though due to new processes, tools, and practices, security will be faced with a new dilemma of how best to deal with change."

Echoing Campbell's comment about embedding security in the development pipeline, Storms says that he would have preferred it if ISACA had provided guidance on how to work with auditors of a DevOps organization or how companies can effect a culture-shift to ensure that security requirements are part of the development process from day one.

Keep learning

Read more articles about: App Dev & TestingDevOps