“DevOps is Agile on steroids — because Agile isn’t Agile enough.”
So says Jim Bird, the CTO for BiDS Trading, a trading platform for institutional investors. Jim continued, "DevOps teams can move really fast...maybe too fast? This is a significant challenge for operations and security. How do you identify and contain risks when decisions are being made quickly and often by self-managing delivery teams? CABs, annual pen tests, and periodic vulnerability assessment are quickly made irrelevant. How can you prove compliance when developers are pushing their own changes to production?"
Jim was presenting at the 2018 Nexus User Conference on Continuous Delivery. Pulling on his 20+ years of experience in development, operations, and security in highly regulated environments, Jim laid how and why Continuous Delivery reduces risk and how you can get some easy wins toward making it more secure.
As Jim points out, it reduces risk because:
To make Continuous Delivery secure without getting in the delivery team's way, Jim outlines a few key points:
With the case made, Jim provides 5 quick wins for securing continuous delivery:
Why? Because you are making changes often, it is easier to make mistakes. You need simple, fast checks that find them before the bad guys. This makes auditors happy because they can see that policies are being enforced.
How? Add tests/assets for common mistakes to the end of the automated build/deploy pipeline in test and production. This includes: default/missing credentials; SSL and HTTPS settings; known critical vulnerabilities; file and user permission, and, open ports.
Tools and frameworks available include:
Why? Teams are making decisions quickly, so you want them to be able to do this safely and to look for potential new risks upfront before coding starts. You get security/compliance stories into the backlog so that they can be planned for, and so you can find the right tools, libraries, and frameworks. It also makes the risks visible to the teams and management.
How? Check out Mozilla's Rapid Risk Assessment. It's a good example.
Why? These prove that vulnerabilities are being fixed correctly. They teach developers how to "step off of the happy path" in their testing, and it will catch/prevent regressions. Normal tests prove it works, not that it might not work, and developers need to write happy tests, sad tests, and bad tests.
How? As you find vulnerabilities, write a test first so you can prove it exists. Then, have developers fix it and then run the test again. They can use tools such as JUnit, NUnit, and Jasmine.
Why? Third-party code injects risk and security vulnerabilities and technical debt: known security vulnerabilities; abandoned and out-of-date code; and, license risks. It is relatively easy, there is some lifting at the front, but, once you do it, you have a nice control set going forward.
How? Get a tool to automatically catalog dependencies and check against vulnerability databases. Integrate it into the Continuous Delivery pipeline and fail builds on serious problems.
Why? Automated static analysis scanners can catch common coding mistakes and bad practices. This is the only way to cover large code bases, and it backstops code reviews because reviewers won't waste time on superficial and subtle coding problems. It fits naturally into workflows and results can be fed directly back to developers.
How? Focus on high-risks and high-fidelity rules. Accuracy and speed is more important than completeness in Continuous Integration/Continuous Delivery. Tools include:
While Jim's quick wins reduce risks and get the ball rolling, he emphasizes that, "deep, real change to culture and how people work takes a l-o-n-g time, patience, and reinforcement."
The free, online conference goes live on October 17th, offering 100 different practitioner-led sessions, each one 30-minutes long. With 5 separate tracks: CI/CD, Cloud-Native Infrastructure, DevSecOps, Cultural Transformations, and Site Reliability Engineering, and 100 speakers, there's sure to be something for everyone.
And speaking of everyone, if you're part of an organization with 20+ people that want to attend the conference (again, it's free!) then you should consider joining the Club 20 program so that you might get your company logo added to the ADDO site. Check out some of the Club 20 participants here and consider joining them.
Hope to see you online at the show!