DevOps.com

  • Latest
    • Articles
    • Features
    • Most Read
    • News
    • News Releases
  • Topics
    • AI
    • Continuous Delivery
    • Continuous Testing
    • Cloud
    • Culture
    • DataOps
    • DevSecOps
    • Enterprise DevOps
    • Leadership Suite
    • DevOps Practice
    • ROELBOB
    • DevOps Toolbox
    • IT as Code
  • Videos/Podcasts
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
    • DevOps Unbound
  • Webinars
    • Upcoming
    • On-Demand Webinars
  • Library
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Related Sites
    • Techstrong Group
    • Container Journal
    • Security Boulevard
    • Techstrong Research
    • DevOps Chat
    • DevOps Dozen
    • DevOps TV
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv Video Podcast
    • Techstrong.tv - Twitch
  • Media Kit
  • About
  • Sponsor
  • AI
  • Cloud
  • Continuous Delivery
  • Continuous Testing
  • DataOps
  • DevSecOps
  • DevOps Onramp
  • Platform Engineering
  • Low-Code/No-Code
  • IT as Code
  • More
    • Application Performance Management/Monitoring
    • Culture
    • Enterprise DevOps
    • ROELBOB
Hot Topics
  • Azure Migration Strategy: Tools, Costs and Best Practices
  • Blameless Integrates Incident Management Platform With Opsgenie
  • OpenAI Hires 1,000 Low Wage Coders to Retrain Copilot | Netflix Blocks Password Sharing
  • Red Hat Brings Ansible Automation to Google Cloud
  • Three Trends That Will Transform DevOps in 2023

Home » Blogs » DevSecOps » Getting Rugged DevOps Right

Getting Rugged DevOps Right

By: Derek E. Weeks on December 10, 2015 4 Comments

Two Perspectives

Recent Posts By Derek E. Weeks
  • State of the Software Supply Chain: Secure Coding Takes Spotlight
  • Reducing Risk in Applications Using Docker Containers
  • 200 Billion Downloads Can’t Be Wrong
More from Derek E. Weeks
Related Posts
  • Getting Rugged DevOps Right
  • How DevOps Prevents DDoS Attacks
  • DevOps Connect: DevSecOps Edition Complete Session Videos
    Related Categories
  • Blogs
  • DevSecOps
  • Features
    Related Topics
  • application security
  • continuous delivery
  • DevOpsSec
  • rugged devops
Show more
Show less

Jack, an accomplished application security pro, tells me, “The developers won’t talk to us.  It’s like we speak a different language.  They are releasing new builds so fast, how could they check each one for security vulnerabilities?  We can’t move as fast as they do.”

Then in the next moment, Diane, a DevOps pro, let’s me know, “Our current security team’s tools and practices can’t keep up with the pace we have now established.  If it doesn’t fit, it doesn’t get done here.”

TechStrong Con 2023Sponsorships Available

I have heard this little ditty ‘bout Jack & Diane so often in the past two years, it could be a hit record. I imagine you have heard it too.

The Slow Lane Won’t Lead to Rugged DevOps

Let’s visit Jack’s world, first.

When visiting a well-known bank last month, they shared insight on their current application security practice.  They have 10 full-time people employed (offshore where personnel costs are lower) to analyze a set of 100 applications.  The bank has over 2000 applications, but the security practice can’t scale to access their entire portfolio.  In 2.5 years, they had only been able to cover 5% of the application portfolio.

The application security team employs an application security tool originally built for waterfall-centric development timelines.  As much as they want it and need it to move faster, it is not really for “continuous” velocity.

Each scan of an application can require anywhere from four hours to two days to get an assessment report.  The reports average about 30,000 potential defects which then require further analysis.  That analysis may take up to two weeks in order to sift through thousands of false-positives and false-negatives.  While this security practice is critical to the bank, it cannot keep pace with development practices that are aiming to go much faster in order for the bank to remain competitive in their industry.

The Continuous Gap

Sound familiar?  It should.  This scenario is playing out all across the DevOps and Continuous Delivery landscape.  It is reflective of what I call “The Continuous Gap”.

Leaders in Rugged DevOps practices aim to minimize the “Continuous Gap”.

In Diane’s world, DevOps teams pursue “shift left” strategies in an effort to build quality in from the beginning.  Shifting left enables them to bake in the right code, components, configurations, and practices from the beginning.  When done right, velocity increases dramatically, while operating costs are minimized, and unplanned/unscheduled work is reduced.  Investments can then shift more in favor of innovation over upkeep and maintenance.

The Old-School Rub

Jack’s world of traditional application security practices often wait to check for security vulnerabilities at testing or release stages of the SDLC.  There are two reasons for this: (1) some security tests like static or dynamic analysis can take hours or days to perform and (2) security teams cannot embed themselves earlier in the SDLC (due to political, organizational, or operational obstacles) without dramatically slowing development in a high velocity world.

If you are using old-school application security tools, you will continue to be blocked from getting more deeply entrenched in development.  New velocity requirements call for new approaches.

The New-School Shifts Left

A number of newer application security solutions and practices been introduced recently that are development and developer-centric.  For example, imagine if build managers could analyze every open source component used in every build for known security vulnerabilities.

What if, developers could access information inside their IDE that would inform them if a component they were planning to use in an application was known to be vulnerable?  What if developers had access to spell-check like alerts of security issues as they were creating their code?

Furthermore, imagine if information was available that not only told the developer of a known security defect, but directed them to an alternative safer version of that component to use.  Components would be automatically vetted against corporate security policies at the instant they were chosen by a developer.  When 90% of an application is composed of open source and third party components today, automatic analysis early in the lifecycle save millions of dollars.  This how Rugged DevOps rolls.  This is Diane’s world.

The evolution of Rugged DevOps is forcing application security practices to shift left.

But Diane’s world (and your’s for that matter) are not just about increasing velocity.  All organizations need to consider operational costs to both detect and remediate security vulnerabilities in their applications.  We all realize that the further along we are in the application development lifecycle the more costly fixes become.  Feel free to apply your own cost figures to the chart below, but you should also note that these calculations do not include breach cost, help desk calls, maintenance, time-to-market, reputation or stock price.

Rugged DevOps
Cost considerations for Rugged DevOps practices compared to waterfall approaches.

Rugged DevOps: Shifting Gears…Quickly

Shifting from old-school to new school approaches doesn’t take long.  On a recent visit to one of the largest insurance companies in North America, they shared their tale of transition.  Of five major applications that run their business, one in particular had 40,000 different files that needed to be analyzed.  Their old-school approach involved a lot of manual code investigation and required about two-and-a-half weeks to complete the analysis of that large application.  The new approach that used automated analysis of security vulnerabilities took two minutes — and produced identical results.

A government tax office wanting to shift security analysis of applications from hours (outside of development – Jack’s world) to seconds (inside of development – Diane’s world) was able to complete the first pass analysis of their existing portfolio of 600 applications within two working days.  The security team was not only faster at identifying known security vulnerabilities in applications, but could also quickly identify alternative open source and third-party software components that were safer to use.  The security team was not simply discovering issues, but the new class of Rugged DevOps solutions were aiding in guided remediation.

Questions to Ask About That Rugged DevOps Solution

There are several companies and open source projects that now offer application security solutions that work at extremely high velocity.  When exploring solutions to match the velocity of your Rugged DevOps practices, consider asking the following questions:

  1. How long does it take to complete the analysis of a small, medium, and large application?
  2. Do developers use these tools, or are they only meant for security personnel?  Do you have members of development teams that act as positive references for your tool?
  3. Does the analysis require further investigation of the findings, or does it pinpoint the root cause of the issue?
  4. Does the solution only identify vulnerabilities or does it help guide remediation of issues?
  5. What is the balance of false positives to positive alerts generated by the solution?
  6. How many people are employed to support the solution in environments similar to ours?

Filed Under: Blogs, DevSecOps, Features Tagged With: application security, continuous delivery, DevOpsSec, rugged devops

« Dev loves Open Source. Ops needs Scale. Now What?
A DevOps Coders Time Allocation »

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Automating Day 2 Operations: Best Practices and Outcomes
Tuesday, February 7, 2023 - 3:00 pm EST
Shipping Applications Faster With Kubernetes: Myth or Reality?
Wednesday, February 8, 2023 - 1:00 pm EST
Why Current Approaches To "Shift-Left" Are A DevOps Antipattern
Thursday, February 9, 2023 - 1:00 pm EST

Sponsored Content

The Google Cloud DevOps Awards: Apply Now!

January 10, 2023 | Brenna Washington

Codenotary Extends Dynamic SBOM Reach to Serverless Computing Platforms

December 9, 2022 | Mike Vizard

Why a Low-Code Platform Should Have Pro-Code Capabilities

March 24, 2021 | Andrew Manby

AWS Well-Architected Framework Elevates Agility

December 17, 2020 | JT Giri

Practical Approaches to Long-Term Cloud-Native Security

December 5, 2019 | Chris Tozzi

Latest from DevOps.com

Azure Migration Strategy: Tools, Costs and Best Practices
February 3, 2023 | Gilad David Maayan
Blameless Integrates Incident Management Platform With Opsgenie
February 3, 2023 | Mike Vizard
OpenAI Hires 1,000 Low Wage Coders to Retrain Copilot | Netflix Blocks Password Sharing
February 2, 2023 | Richi Jennings
Red Hat Brings Ansible Automation to Google Cloud
February 2, 2023 | Mike Vizard
Three Trends That Will Transform DevOps in 2023
February 2, 2023 | Dan Belcher

TSTV Podcast

On-Demand Webinars

DevOps.com Webinar ReplaysDevOps.com Webinar Replays

GET THE TOP STORIES OF THE WEEK

Most Read on DevOps.com

New Relic Bolsters Observability Platform
January 30, 2023 | Mike Vizard
Jellyfish Adds Tool to Visualize Software Development Workflows
January 31, 2023 | Mike Vizard
OpenAI Hires 1,000 Low Wage Coders to Retrain Copilot | Netflix Blocks Password Sharing
February 2, 2023 | Richi Jennings
Cisco AppDynamics Survey Surfaces DevSecOps Challenges
January 31, 2023 | Mike Vizard
Let the Machines Do It: AI-Directed Mobile App Testing
January 30, 2023 | Syed Hamid
  • Home
  • About DevOps.com
  • Meet our Authors
  • Write for DevOps.com
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • Privacy Policy

Powered by Techstrong Group, Inc.

© 2023 ·Techstrong Group, Inc.All rights reserved.