Taking DevOps out of the security danger zone

Right now, DevOps is the star on the red carpet at the Oscars ceremony. The darling new technology methodology that everyone wants to shake hands with. The methodology that promises to effect positive organisational change: like launching services more quickly, improving operational performance and lowering cost.

Gartner agrees. According to “Market Trends: DevOps -- Not a Market, but a Tool-Centric Philosophy That Supports a Continuous Delivery Value Chain”, “By 2016, DevOps will evolve from a niche strategy employed by large cloud providers to a mainstream strategy employed by 25 percent of Global 2000 organisations.”  The current DevOps talent shortage also points to these companies suddenly waking up to the difference DevOps can make.

Make no mistake, DevOps is a compelling proposition: a logical approach to enhancing and accelerating enterprises’ IT delivery capabilities. Ask any organisation and they’ll bite your hand off to achieve the scale-out and economies of scale realised by the big cloud providers.

How do you scale DevOps?

It’s that word ‘scale-out’ which causes the trouble. Application teams are under pressure to deliver more functionality, more quickly without disrupting current applications. But enterprise processes and other barriers are in the way. The complexity of different groups, geographies, infrastructure and applications, for example, can quickly lead to a loss of control. And loss of control results in deployment and release failures that can cost you millions of dollars and damage your brand reputation.

Moreover, network engineers are either doing ad-hoc scripting or tap a dedicated software engineering team to build homegrown systems for their use. As a result, many of today's enterprises are intricate webs of siloed, but interdependent, sub-networks.

There’s another more sinister barrier to scaling out your DevOps strategy too. DevOps can easily expose software vulnerabilities and security threats in your production environments. Take the case of assembling code, for example, Developers are always keen to use existing code as opposed to rewriting it from scratch. And when assembling applications from libraries, they typically use the latest version of code, assuming it is likely to have less bugs.

However, new releases can open up new security vulnerabilities. Take the Spring Framework, for instance, a Java platform that provides comprehensive infrastructure support for developing Java applications. According to Joshua Corman, CTO of Sonatype, 81 of the 85 versions of the Spring Framework have known vulnerabilities.

Software and security vulnerabilities can also rise to the surface unless there is an audit of the production software for security defects. Developers can easily pick up any code they choose without identifying the source or what they did with it. And this risk is set to do more harm as DevOps is used in for the ‘Internet of Things’ solution development.

The facts about DevOps security speak for themselves. Organisations collectively spend $20 billion every year on network security, $10 billion on host security and $5 billion on data security. And you know how much is invested in software supply chain security by all companies? Just half a billion dollars.

Automation relieves the DevOps security headache

The answer is automation. A good DevOps process should be implemented using automation tools that can help to track and document updates. DevOps is about change management, process flow and documenting those processes.

With automation you bring your new products and services to market faster, and—crucially—still stay in control. By automating your application release process, you package the release from your continuous integration tool and securely promote it to the next environment via a reusable work flow. You maintain complete visibility throughout—and there’s no disruption to the business.

Any software vulnerabilities are quickly identified using role-based access controls: only authorised staff get to promote packages, and only approved packages can move through the lifecycle. Moreover, the automated deployment model ensures you keep track of the code goes on each server and with what configuration settings. And if you are not happy with any aspect of the release, automation enables you to roll back the deployment to its previous state. Finally, comprehensive audit reports help you see who did what and when throughout the entire release process.

Automation delivers other unique attributes to reduce security risks. First, it provides packages and promotion paths so you can be confident that what is deployed is correct. Second, it delivers workflows for a standard, quality-assured approach to consistently deploy new changes. And third, automation introduces deployment models to ensure the correct setting and configurations are applied to each environment.

Your development squad is under more pressure than ever to deliver more functionality, faster without disrupting current applications. By automating your application release process, you not only embrace DevOps in full strength, you also gain back control.

Posted by Dr. Chris Boorman, Chief Marketing Officer at Automic.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon