Why Devops? For Better Security

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    Comments posted to this topic are about the item Why Devops? For Better Security

  • Gary Varga

    SSC Guru

    Points: 82166

    As much as anything else, in my opinion, DevOps allows for discovered security issues to be resolved in a more rapid manner. It doesn't encourage it. It certainly doesn't improve it. It just makes it easier to happen.

    A team poor at security applying DevOps practices is no better at security than a team poor at security not applying DevOps practices. It is just that a team applying DevOps practices has the opportunity to resolves issues in a continuous and more timely manner i.e. they can expose any change quicker.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • David.Poole

    SSC Guru

    Points: 75199

    For me the whole devops piece is a God send when done correctly.

    We can completely rebuild any part of our infrastructure from scratch for any environment and know that each environment differs only in the actual data contained in those environments.  As automated testing surrounds everything we do we can evaluate any change in the system.  Where vulnerabilities are discovered we can devise tests to exploit that vulnerability, devise a solution and rebuild.  If all tests pass we know that what we have released will work at least as it did before and with whatever enhancement has been made.
    If we discover gaps in our testing then we can plug those gaps.

    The important thing is that we have the capability to evolve fast as the need is required.  This ability completely changes the mindset of all involved.  It is also an important counter to negative behaviours such as blame-storming.  By the time a blame-stormer has built up a head of steam their object of ire has long since ceased to exist.

  • hjp

    Default port

    Points: 1434

    Gary Varga - Thursday, February 9, 2017 1:06 AM

    As much as anything else, in my opinion, DevOps allows for discovered security issues to be resolved in a more rapid manner. It doesn't encourage it. It certainly doesn't improve it. It just makes it easier to happen.

    A team poor at security applying DevOps practices is no better at security than a team poor at security not applying DevOps practices. It is just that a team applying DevOps practices has the opportunity to resolves issues in a continuous and more timely manner i.e. they can expose any change quicker.

    True. I wanted to write a short and positive comment on the post, because I really buy what it says. But this point rules them all: There is a difference between a tool enabling me to do right, and a tool making me do right.

  • chrisn-585491

    SSCoach

    Points: 15866

    DevOps must be nice environment to work in, but not every shop can support all aspects of it.
    Imagine supporting applications that are being used by thousands of customers in their environments in a uber-conservative industry. Any change short of extreme emergency must go through multiple approvals...  :crying:

  • Eric M Russell

    SSC Guru

    Points: 125032

    chrisn-585491 - Thursday, February 9, 2017 6:10 AM

    DevOps must be nice environment to work in, but not every shop can support all aspects of it.
    Imagine supporting applications that are being used by thousands of customers in their environments in a uber-conservative industry. Any change short of extreme emergency must go through multiple approvals...  :crying:

    I've worked in an environment similar to yours. In that case it was healthcare. Once a deployment was approved by executive management at the CAB meeting, we had a two business day "cooling off" period before it could be deployed. I called it a cooling off period just for kicks, because by the time it reaches the CAB meeting it's already passed QA and gotten approval, so it was not clear to me the purpose for delaying simple low-risk deployments that were not requiring non-downtime or system interruption unless someone simply changed their mind in the interim. So, I got bored with that job for a number of reasons, and have since moved on to another organization within the retail industry that has more of a DevOps model.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • roger.plowman

    SSChampion

    Points: 10173

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

  • Gary Varga

    SSC Guru

    Points: 82166

    roger.plowman - Thursday, February 9, 2017 6:49 AM

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

    Not sure I agree. That is a bit like blaming speeding on the accelerator pedal.

    Yes DevOps enables a more rapid release but speed of the overall DevOps process is down to the practitioners. DevOps is about a fluid continuous improvement. Not necessarily speed nor feature increase. It is more about feature improvement. It also allows for more rapid feature removal too.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • roger.plowman

    SSChampion

    Points: 10173

    Gary Varga - Thursday, February 9, 2017 8:03 AM

    roger.plowman - Thursday, February 9, 2017 6:49 AM

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

    Not sure I agree. That is a bit like blaming speeding on the accelerator pedal.

    Yes DevOps enables a more rapid release but speed of the overall DevOps process is down to the practitioners. DevOps is about a fluid continuous improvement. Not necessarily speed nor feature increase. It is more about feature improvement. It also allows for more rapid feature removal too.

    That may be the theory, but the practice (encouraged aggressively by management, no doubt) is SPEED, everything else be damned. They consider "improvement" to be "more features delivered yesterday". :crazy:

    Then you mix in the fact developers love to write code, hate documentation, and hate QA work with a passion, and, well... Yeah.

    Which is one reason we're seeing Swiss Cheese security in almost every application that has any traction. IOT is another looming pit of malware stew brewing...and it's all because of the relentless increase of release cadence.

    What's that line about not releasing a wine before it's time? 😀

  • Gary Varga

    SSC Guru

    Points: 82166

    roger.plowman - Thursday, February 9, 2017 8:15 AM

    Gary Varga - Thursday, February 9, 2017 8:03 AM

    roger.plowman - Thursday, February 9, 2017 6:49 AM

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

    Not sure I agree. That is a bit like blaming speeding on the accelerator pedal.

    Yes DevOps enables a more rapid release but speed of the overall DevOps process is down to the practitioners. DevOps is about a fluid continuous improvement. Not necessarily speed nor feature increase. It is more about feature improvement. It also allows for more rapid feature removal too.

    That may be the theory, but the practice (encouraged aggressively by management, no doubt) is SPEED, everything else be damned. They consider "improvement" to be "more features delivered yesterday". :crazy:

    Then you mix in the fact developers love to write code, hate documentation, and hate QA work with a passion, and, well... Yeah.

    Which is one reason we're seeing Swiss Cheese security in almost every application that has any traction. IOT is another looming pit of malware stew brewing...and it's all because of the relentless increase of release cadence.

    What's that line about not releasing a wine before it's time? 😀

    That's why you need professionals to do the work. I refuse to rush things at an inappropriate speed. However, I can understand business pressures and the DevOps helps me get the small changes with significant business impact released safely, securely and as soon as (is reasonably) possible.

    It takes maturity, not only of process, but also of professionals

    Loving the whole cliched DBA blaming management and the developers. A pity people like Jeff Moden have taken the easy route and mentored theirs 😉

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • roger.plowman

    SSChampion

    Points: 10173

    Gary Varga - Thursday, February 9, 2017 8:31 AM

    roger.plowman - Thursday, February 9, 2017 8:15 AM

    Gary Varga - Thursday, February 9, 2017 8:03 AM

    roger.plowman - Thursday, February 9, 2017 6:49 AM

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

    Not sure I agree. That is a bit like blaming speeding on the accelerator pedal.

    Yes DevOps enables a more rapid release but speed of the overall DevOps process is down to the practitioners. DevOps is about a fluid continuous improvement. Not necessarily speed nor feature increase. It is more about feature improvement. It also allows for more rapid feature removal too.

    That may be the theory, but the practice (encouraged aggressively by management, no doubt) is SPEED, everything else be damned. They consider "improvement" to be "more features delivered yesterday". :crazy:

    Then you mix in the fact developers love to write code, hate documentation, and hate QA work with a passion, and, well... Yeah.

    Which is one reason we're seeing Swiss Cheese security in almost every application that has any traction. IOT is another looming pit of malware stew brewing...and it's all because of the relentless increase of release cadence.

    What's that line about not releasing a wine before it's time? 😀

    That's why you need professionals to do the work. I refuse to rush things at an inappropriate speed. However, I can understand business pressures and the DevOps helps me get the small changes with significant business impact released safely, securely and as soon as (is reasonably) possible.

    It takes maturity, not only of process, but also of professionals

    Loving the whole cliched DBA blaming management and the developers. A pity people like Jeff Moden have taken the easy route and mentored theirs 😉

    Kind of hard to say no to the people that sign your paycheck tho.

    Mentoring only works if they *believe* you. When sales people have the C-level ear, well, money talks and BS walks, right?

  • Gary Varga

    SSC Guru

    Points: 82166

    roger.plowman - Thursday, February 9, 2017 8:39 AM

    ...Kind of hard to say no to the people that sign your paycheck tho.

    Mentoring only works if they *believe* you. When sales people have the C-level ear, well, money talks and BS walks, right?

    Unfortunately too often true...unless you are as hard as nails as Jeff is

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    chrisn-585491 - Thursday, February 9, 2017 6:10 AM

    DevOps must be nice environment to work in, but not every shop can support all aspects of it.
    Imagine supporting applications that are being used by thousands of customers in their environments in a uber-conservative industry. Any change short of extreme emergency must go through multiple approvals...  :crying:

    It's not just NetFlix and Etsy that do this. There are some examples of banks and other companies (Barclays Bank and Allstate insurance) that have transformed their environments. Part of building a DevOps process is determining what approvals are really needed, and what ones can be mitigated with tests, merged together, etc. Often the reason for approvals is poor code quality that causes issues. Learning to improve all facets of the pipeline is how DevOps moves forward. not by eliminating steps. 

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    roger.plowman - Thursday, February 9, 2017 6:49 AM

    Color me suspicious.

    If DevOps was limited to security (i.e. continuous patching of a stable base) then it would probably be a net benefit.

    But that's not the case. DevOps is aimed at continuous feature release, not security. The more features you add, the more attack surface you add. DevOps encourages an insane development cadence, an insane user version cadence, and that is heaven for bad guys looking for bugs.

    The real issue with rapid cadence is lack of time for testing, lack of time for the good guys to understand the code in depth. Automated tests are good for catching the known attack vectors and preventing feature breakage. They do squat all for unknown vectors. Thus all the emphasis on discovering and exploiting 0 day bugs by the bad guys.

    DevOps is a prime example of over-driving your lights.

    I'd disagree with this. Feature growth and addition constantly happen. Even if you release once a year. The difference is that with DevOps you can get feedback on those features quickly. Then decide what needs to be improved, or if they should be deleted. 

    It's far, far easier to go down the road with traditional development for quite a ways before you realize you're on the wrong road.

  • David.Poole

    SSC Guru

    Points: 75199

    Getting a DevOps culture adopted requires a collaboration of the willing supporting a manager prepared to argue the case with the skills of a successful lawyer.  If you have an ultraconservative management then I'm guessing they probably don't like someone rocking the boat and they are metaphorically weak swimmers.
    The Netflix's of this world have shown what is possible.  The culture surrounding a successful DevOps ethos is one of problem solving and relentless improvement.
    No organisation has a divine right to exist.  IBM is still trying to shrink to greatness.  Some of the biggest names in the software industry don't exist anymore.
    An organisation may decide it doesn't like boat rockers but they're gambling on competitors agreeing with that approach.  A brave competitor doesn't have to suceed they simply have to show the market the art of the possible.  The next ones to pursue that different approach have the advantage of the ground work being done and the problem areas causing failure being made visible.
    Elon Musk may fail with Tesla but he has scared the bejesus out of the traditional manufacturers.

    Anyone remember the jokes made at Amazon's expense?  No-one is laughing now.

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic. Login to reply