DevOps has had its time in the sun. DevSecOps is for practitioners adopting "security as code." Now get ready for Rugged DevOps, which heightens the emphasis on designing for security. Given the sharp rise of cyber risks, Rugged DevOps couldn't be timelier.
Rugged DevOps arose with the rugged software movement, whose stated goal is to raise the development community's awareness about security. Their manifesto states in part:
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security.
I recognize these things - and I choose to be rugged.
Rugged DevOps' Increasing Emphasis on Security Is Essential
Rugged DevOps puts security front and center in code development - a welcome change from past development processes, where security auditing, monitoring, and implementation were done outside of the development effort, or worse, at the end of it. With Rugged DevOps, security experts and DevOps teams work hand-in-hand to develop great code that will withstand constant attacks.
In Seven Habits of Rugged DevOps, a YouTube video from White Hat Security, the authors explain how to make Rugged DevOps a reality. Their recommendations follow:
1. Increase Trust and Transparency Between Development, Security, and Operations
2. Understand the Probability and Impact of Specific Risks
3. Discard Detailed Security Road Maps in Favor of Incremental Improvements
4. Use the Continuous Delivery Pipeline to Incrementally Improve Security Practices
5. Standardize Third-Party Software and Then Keep Current
6. Govern with Automated Audit Trails
7. Test Preparedness with Security Games
Let's explore these one at a time.
Habit #1 -- Increase Trust and Transparency Between Development, Security, and Operations
If you've done any software development, you may have experienced friction between the development, operations, and SecOps teams. SecOps and operations have seen their functions siloed and have often entered into projects late in the game, causing rework of code. This has happened because developers have adopted practices that don't meet all of their enterprises' current security needs.
Rugged DevOps tries to reduce the intra-team friction by bringing SecOps into the process early and often. Involving the security team from the beginning means that they can offer guidance and governance early in the development process where it is much less expensive to implement.
Habit #2 -- Understand the Probability and Impact of Specific Risks
Security is complicated. As a result, developers often rely heavily on manufacturers' best practices and preformulated security measures without understanding fully why they need to do so. This can lead to security holes in code that is developed.
The SecOps team can educate the DevOps team about the latest practices, why key changes will result in stronger code, and share real-life examples to illustrate the "why" behind the "how."
Habit #3 - Discard Detailed Security Road Maps in Favor of Incremental Improvements
Risks are constantly changing, hackers change tactics, and vulnerabilities come and go. Meanwhile, development teams are releasing software into production at ever faster intervals.
By including SecOps into software delivery and development process, this team can use an agile approach to securing assets as they are released. They can incrementally plan, implement, test, and deploy. Just like developers, they can experiment and make mistakes, knowing that they'll have time to analyze, study, tweak, and adjust before large software releases are launched.
Habit #4 - Use the Continuous Delivery Pipeline to Incrementally Improve Security Practices
There are many automated security testing tools in the market. Why not include some of them in the DevOps toolkit? Fuzz testing, pen testing, vulnerability assessments, static application security testing, and software composition analysis are all examples of security and vulnerability testing that can be at least partially automated.
Habit #5 - Standardize Third-Party Software and Then Keep Current
There is some frightening research on how common and widespread vulnerabilities are in open source components. I cannot share the numbers here as they are not public domain. However, they are real and eye-opening.
You haven't seen a fire drill until you've seen a development team hear from SecOps that the third-party open source component they've built their entire business tier on is not allowed in production. Obviously, learning this early in the development process would be far more ideal.
Habit #6 - Govern with Automated Audit Trails
Auditing and logging is not just for users anymore. Knowing what settings developers have changed is critical. As companies move more development to the cloud, inadvertently changing an infrastructure setting can create an attack vector in development or QA environments.
Involving SecOps early in the planning process allows the team to understand the implications of these changes. Creating an audit trail can help identify and remediate issues before they become risks that have to be mitigated. That's true not just for security, but also for development.
Habit #7 - Test Preparedness with Security Games
War-gaming has now hit DevOps. Companies are splitting their team into attackers and defenders sparring on opposite sides of available code. Attackers try to hack applications in production, while defenders can only use current code to stop them. While this sounds radical, it can be a creative way to quickly detect problems, whether current technologies can respond and adjust, and if remediated vulnerabilities have made their way back into the solution.
Another bonus is that these war games educate developers on what vulnerabilities exist and give them insight into how attackers will try and exploit them.
Moving Forward with Rugged DevOps
So that's a quick treatise on Rugged DevOps. It may take time to evolve your DevOps processes to include security upfront, but it can save your company significant time and cost - not to mention protecting your code from the relentless cyber attacks it will face when released.
Since cyber security is a priority of the C-Suite, and information breaches are costly and painful to address, consider adopting Rugged DevOps this year. Your company, business heads, and customers will be glad you did.
Want to learn more about Rugged DevOps? Contact us to learn how you can put it to work in your business.