DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB

Home » Blogs » DevSecOps » DevSecOps: Security Needn’t be Sacrificed for Speed

DevSecOps: Security Needn’t be Sacrificed for Speed

Avatar photoBy: Stephen Withers on November 20, 2017 2 Comments

With the right practices, security needn’t be an impediment to continuous development and rapid improvement.

Recent Posts By Stephen Withers
  • API Security by Design
  • Consider Telemetry When Rearchitecting Applications
  • How To Address DevSecOps Skills Shortages
Avatar photo More from Stephen Withers
Related Posts
  • DevSecOps: Security Needn’t be Sacrificed for Speed
  • DevSecOps @ RSA Conference 2017
  • Combining SecOps and DevOps
    Related Categories
  • Blogs
  • DevSecOps
    Related Topics
  • code
  • continuous testing
  • developers
  • devops
  • devsecops
  • qualys
  • security
  • Sense of Security
  • Sonatrype
  • Veracode
  • vulnerability scans
Show more
Show less

The same cycle keeps repeating, according to IT security and risk management consultancy Sense of Security co-founder and CTO Murray Goldschmidt. A new technology is hyped, leading to rapid adoption, but security is left as an afterthought. It happened with WiFi and voice over IP (VoIP), he says, and is currently happening with the internet of things (IoT). But it doesn’t have to be that way.

TechStrong Con 2023Sponsorships Available

DevSecOps: DevOps + Security

DevOps is good for making things better, faster. But there tends to be a culture clash between those talking about speed, velocity or agility and those concerned with issues such as control points.

So Goldschmidt and his colleagues are showing their clients how security can be integrated into DevOps (DevSecOps) in an automated manner without affecting velocity.

Most people with development, operations or cloud backgrounds aren’t well-versed in security, he suggests, so Sense of Security shows clients how DevSecOps means security and DevOps can run in parallel.

“It’s not that complicated,” he says, but it’s something most people don’t think about.

Organizations often have a vulnerability management life cycle to identify and treat issues. After all, that’s part of various industry standards.

The typical approach is an annual penetration test to find issues, which can then be addressed.

A better way is to move to automated testing, and there are various commercial and open-source products to do that job. Goldschmidt says he sees little resistance to this idea.

The next step is to go from scheduling these vulnerability scans on a quarterly basis to weekly or daily—or even to run them continuously.

Citing the Struts vulnerability that caused a big problem for Equifax, he notes the challenge is to identify vulnerabilities in your systems before an attacker does. Continuous automated scanning means the window of vulnerability is very narrow.

This idea is simple enough, he says, but for some reason it doesn’t occur to most people until someone brings it to their attention.

When a scan reveals a vulnerability, its significance (severe, medium, etc.) is used to prioritize remediation.

“DevOps guys understand those triggers,” he observes: If you give them the data, they can take the necessary actions. For example, that might mean shutting down the servers in a small web farm one at a time, applying the patch, restarting and moving on to the next. They could all be patched and running by the end of the day.

Patching Isn’t Everything

However, “it is unfair to assume organizations can patch things quickly” every time, he says. For example, the Struts vulnerability required more than just a patch—the code running on it had to be recompiled and tested, and that process could take months in a large organization.

So organizations should not rely on the idea that patching is the fix for a vulnerability. While patches will be applied eventually, if you can make it difficult to actually take advantage of any exploits, the risk of data breaches is very low.

One very easy-to-implement example of these measures is using a stateful firewall to ensure inbound-only access to web servers. By disallowing outbound access—”the channel through which data is lost”—there is no path for data to leave.

Goldschmidt also recommends using tools to examine in-house code and the open-source and commercial code that is used with it. Such tools can detect most common problems, including openings for SQL injection, cross-site scripting and token misuse.

He describes these tools as being the equivalent of “spellcheck for developers,” and says it reduces the likelihood of putting insecure code into production.

The market includes products from Veracode (now part of CA), Sonatype and Qualys.

Qualys, he notes, provides differential reporting. This makes it obvious that something has changed, and “that is the key to automation.” Whether the system itself has changed or new information has been discovered about vulnerabilities or configuration issues, action is required.

Furthermore, the ease of making configuration changes that could have security implications makes continuous scanning even more important.

These checks should not be limited to individual modules. Rather, they should be repeated—preferably automatically—as modules are assembled to help developers avoid poor code and to check the overall product.

RASP Away Some Attacks

Runtime application self-protection (RASP) is another technology Goldschmidt advocates. The idea is to detect abnormal and possibly malicious activity. One example is that normal operation would see an application communicating with its application server, and the application server communicating with the database. If the application suddenly makes a direct request to the database—as happens in an SQL injection attack—action is clearly required.

Depending on the situation, RASP might raise an alert or immediately terminate the application, among other possibilities.

The use of these and other technologies and techniques should allow organizations to run at the pace implied by DevOps without sacrificing security.

— Stephen Withers

Filed Under: Blogs, DevSecOps Tagged With: code, continuous testing, developers, devops, devsecops, qualys, security, Sense of Security, Sonatrype, Veracode, vulnerability scans

« The Executive’s Guide to Microservices: Chapter 1
CA World 2017: DevOps As Far As the Eye Can See »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Five Best Practices for Safeguarding Salesforce Data
Thursday, February 2, 2023 - 1:00 pm EST
Modernizing Software Delivery for Regulated Industries With Harness and AWS
Thursday, February 2, 2023 - 3:00 pm EST
Automating Day 2 Operations: Best Practices and Outcomes
Tuesday, February 7, 2023 - 3:00 pm EST

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Automation Challenges Holding DevOps Back
February 1, 2023 | Mike Vizard
5 Unique Challenges of Mobile App Testing
February 1, 2023 | Frank Moyer
Cisco AppDynamics Survey Surfaces DevSecOps Challenges
January 31, 2023 | Mike Vizard
Jellyfish Adds Tool to Visualize Software Development Workflows
January 31, 2023 | Mike Vizard
3 Performance Challenges as Chatbot Adoption Grows
January 31, 2023 | Christoph Börner

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

Atlassian Extends Automation Framework’s Reach
January 26, 2023 | Mike Vizard
Software Supply Chain Security Debt is Increasing: Here̵...
January 26, 2023 | Bill Doerrfeld
The Strategic Product Backlog: Lead, Follow, Watch and Explo...
January 26, 2023 | Chad Sands
Stream Big, Think Bigger: Analyze Streaming Data at Scale
January 27, 2023 | Julia Brouillette
What’s Ahead for the Future of Data Streaming?
January 27, 2023 | Danica Fine
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.