When dealing with greatness and great companies one should try to find out what it is that they are doing so outstandingly well, and what lessons are to be learned from them? What do Google, Amazon, Facebook, LinkedIn, Netflix, Intuit, Bank of America, GAP or Macy’s - just to name a few - have in common?
Apart from being very big enterprises and highly successful, they also share an IT-related approach that has become a cultural trait: they all embraced DevOps as a way of delivering their products/ services to the clients. As security practitioners, we have the duty to ask ourselves – where does security fit into this DevOps philosophy?
Corporate Culture in a DevOps supported Organization
DevOps as we understand it is a revolution inside an organization, a business approach that promotes the collaboration between software developers and IT Operations professionals to allow faster delivery cycles in the best interest of the clients.
How is this achievable? Here comes the “cultural thing” - the organizations using this approach have eliminated the wall between the Software Developers and the IT Operations professionals and support a totally integrated framework, from the moment of consolidating development requirements, up to the delivery moment, passing through development, testing, bug fixing and release. The objective – or the new development style we may say – is the Continuous Delivery Model, with top performers like Amazon, Google or Facebook reaching rates of code delivery of thousand instances per day.
The foundation for all this, as defined by Gene Kim, one of the movement promoters, resides in 3 pillars:
1. Systems Thinking – seeing the entire forest, not just a few trees, looking at the entire value stream that must deliver to the clients the expected result, without barriers of teams and platforms.
2. Shorten and Amplify Feedback Loops – actually the large feedback loops corresponding to the classic SDLC approach are condensed to sub-processes and stages feedback loops, with people from development and IT operations working together to collect it, analyze it and react accordingly, as fast as possible.
3. Continuous Experimentation and Learning – a new way of looking at things, getting rid of silos and the blame passing culture, encouraging creativity, engagement and shared responsibility. One of the funny aspects that Gene was telling in a podcast is that the most interesting part is when development guys are awakened at 3 a.m. in the morning to fix a bug and they like it and can’t conceive otherwise because they and IT Ops work together to deliver the expected results to the clients.
An interesting survey reported by Puppet Labs in 2013, described DevOps adoption and what it could bring to the new computing sphere, revealing that the high performers are deploying code 30 times faster and have 50% fewer failures.
All these are great numbers reflecting an impressive picture: we have faster development, rapid bug fixing, shortened cycles, and continuous delivery. But a question arises: what about information security? What’s happening with it under this new paradigm?
As an ISMS auditor, I have had the chance to see a few software development companies and what struck me was the almost impossible “marriage” between development and security – the latter being perceived as slowing down the systems, good only for compliance. But in the DevOps approaches, InfoSec can be integrated too from the beginning of the value chain and this irreconcilable gap can be narrowed.
Any DevOps implementation is supported by an integrated system of tools like:
- Software-defined infrastructure – either virtualized in the datacenter or an entire Platform-as-a Service package from one of the providers;
- Continuous monitoring – for infrastructures but also security monitoring – they are essential for the testing, for shortening feedback cycles and for early detection of any malfunctioning and security incidents;
- Version management and change management platforms – essential for maintaining the business logic and for preparing the delivery, but also for rapid identification of failures and incidents;
- Configuration management – that helps the IT Ops and the InfoSec Ops deliver what is needed by development, which is the unity of configuration between the development, testing and production. Server virtualization is a valid option that facilitates enormously this aspect.
- Code inspection and review – that can be ensured by specialized tools and dedicated teams. It is a practice that dramatically increases the quality of code and its security and a probable explanation for the 50% reduction of failure rates.
- Benchmarking – dashboards and metrics are an essential ally for maintaining the governance of the entire process.
Security is a component that can and has to be present along each of these processes, as security for virtualized environments and SDNs, security monitoring and secure practices for version management, configuration and change management, code inspection and testing.
As for the classic approach based on large cycles – compliance audit, penetration testing and vulnerability management – they are a part of our lives that will remain as a supplementary check and assurance.