All hands in

DevSecCon: The state of secure DevOps

With containerization, microservices, and a new software framework popping up seemingly every few months, software is moving fast—so fast that adding security to the agile development processes is difficult because the technologies are changing so quickly.

At the inaugural DevSecCon Boston, a group of nearly 200 developers, application-security professionals, and software-security vendors gathered to discuss how to add workable security to existing DevOps development cycles. Attendees listened to experts in the industry talk about how companies could learn from other industries, data on where coding flaws typically appeared, and how security teams and developers can be allies and not enemies.

One running theme throughout most presentations was keeping up with the fast pace of change. "From security point of view, it's really hard to keep up with all the new technologies," said Francois Raynaud, the founder and managing director of the meetup DevSecCon. "Developers are really keen on new technologies, so they will say, 'Ooh, Kubernetes,' and take it and insert it into their development without thinking about security."

With a backdrop of the massive Equifax breach, where an unpatched open-source coding vulnerability resulted in attackers stealing extremely sensitive data on more than 143 million people, presenters sought to teach developers and security teams how to better work together.

While security professionals may not make good coders, DevOps developers can be made to understand security and incorporate it into their process, Raynaud said.

Here are four of the major themes from the conference, representing a snapshot of the state of secure DevOps.

Point of View: Are Containers Secure?

1. Translating security to DevOps

A main theme of the conference was that security should be integrated into DevOps, not added onto it. Jeff Williams, co-founder and chief technology officer at Contrast Security, said security should be treated like the production and quality improvements at Japanese carmakers, which formed some of the background for The Phoenix Project, an allegorical work of fiction that launched many agile concepts into the mainstream.

"When you say 'DevSecOps,' it sounds like you are shoving security into the middle of the DevOps process, and you are not. What you are really doing is turning security work into a form that you can feed into a machine—a DevOps factory—and have it execute."
Jeff Williams

He pulled other concepts from The Phoenix Project, such as incorporating tight security feedback loops into development to alert developers and educate them about the flaws in their software. Finally, developers should be encouraged to experiment and learn about security, he said.

"Vulnerabilities are often super negative and are hidden away, but you need to celebrate your vulnerabilities and encourage people to find them," Williams said. "If you do that, you can learn from them and not make that mistake again."

2. Pay attention to your components

Developers and application security professionals need to focus on their components. One out of every 18 components downloaded from popular central repositories have a known vulnerability at the time of download, warned Derek Weeks, vice president and DevOps advocate for the software supply chain management firm Sonatype.

Like Williams, Weeks focused on how the software industry can make the jump from ad hoc development to more assembly-line manufacturing while achieving a commensurate improvement in code quality. With the number of open-source components used by developers skyrocketing—52 billion requests from the central repository in the past year, up from 13 billion only four years ago—developers need to pay more attention to their software components, he said.

"Developers are gorging on open-source components. The vast majority of software that is being developed right now is being built with open-source components," Weeks said. But you need the best software, he added.

"When companies take the time to understand what components they have in their application, their vulnerability falls dramatically."
Derek Weeks

3. Security needs to understand the business

Application-security professionals also have to learn not to be blockers. Rather than look for ways that developers are undermining the security of the company, app sec professionals should understand why a business is creating a specific application and find ways to support that development in a secure way, said Caroline Wong, vice president of security strategy for Cobalt.

When security professionals work with developers, they can create "super tribes" that mutually support and trust one another and get things done, Wong said. By being curious about development and listening to the concerns of developers, the security team will become more trusted and considered an ally.

"When a security person looks at a DevOps software development process, one reaction is to be very concerned, because—sh**—where can I put my gates? Where's my review and approval process? And that is a very different approach than a curious approach and a listening approach."
Caroline Wong

4. Attack your code

Both developers and security experts can learn more about application security by creating bad code and attacking it, said Keith Hoodlet, trust and security engineer for crowdsourced vulnerability research firm BugCrowd.

In a presentation at DevSecCon, Hoodlet called for developers and security experts to take application components and build them in a way that makes them vulnerable and then attack them. By building, attacking, and then rewriting the code, developers can learn more about how to create secure code and avoid vulnerabilities, he said.

"Attack-driven development is great as a tool to learning web application security. Ultimately you need to be able to build a vulnerable web application to understand how it is open to attack."
Keith Hoodlet

Coping with failure

With the massive breach of Equifax highlighting the problems with development and security, DevOps could be a better way to spur developers to think about security, but only if application security specialists can learn to work within the DevOps model and support the business.

Renaud hopes that the focus on bringing security and DevOps together can help change that.

"Security, as an industry, we have failed. A lot of people have made companies that make a lot of money, but we can't even get basic patching right, as Equifax shows."
Francois Raynaud

Point of View: Are Containers Secure?
Topics: Security