The evolution of DevOps: the perfect storm for instituting secure coding practices

Happy Appetite!

Software is eating the world, or so say DevOps leaders such as Marc Andreessen, general partner at Andreessen Horowitz as most companies are becoming software companies as well as purveyors of their primary goods and services in order to be more competitive.

Experts agree that DevOps is eating software, too. “I believe that in five to 10 years DevOps practices will be mainstream. People will view DevOps as the correct way to do software development,” says Tom Stiehm, CTO of Coveros. In that respect, says Stiehm, DevOps is eating software development.

Secure coding practices should likewise envelope DevOps, sealing many of the holes that criminal hackers would otherwise exploit. As DevOps accelerates software development, foot-draggers will have a hard time holding that secure coding practices slow software delivery. If developers use DevOps’ many ingress points to fix security vulnerabilities like they do to fix code, secure coding could swallow DevOps whole and become the norm across software development.

[ MORE DEVOPS: CSO Survival Guide: Securing DevOps ]

“DevOps shifts the focus of development to producing the best possible outcome for the customers. The new focus includes a shared understanding that security is essential to establishing and maintaining customer trust,” says Otto Berkes, CTO, CA Technologies and the first architect of Xbox at Microsoft.

Gartner includes “Security Testing for DevOps” in its 2016 Top 10 Technologies for Information Security. CSO looks at the issues and why DevOps will increase secure coding practices.

DevOps, the perfect environment for secure coding

DevOps is a good opportunity to make secure coding the norm across software development if secure coding envelopes DevOps as DevOps envelopes software. “Improved security is a core benefit of DevOps methodologies and is one of the reasons that DevOps is such a powerful movement. Customers expect to have a great software experience, and that has to include security as a basic ingredient,” says Berkes.

For many enterprises, DevOps automation techniques have hastened software development to a pace that has itself arrived (become possible) well ahead of schedule. It takes the video entertainment broadcasting behemoth Netflix, which the literature on DevOps regularly touts as a prime example a mere 16 minutes to translate Janitor Monkey, its cloud resiliency and maintenance service from code check-in to a full, multi-region (global) deployment, according to a recent company blog post. “Netflix is the poster child for DevOps speed and agility, having pioneered the development approach for many industries,” says Mike Kail, Co-Founder of Cybric and former CIO at Yahoo.

High-performing IT organizations—the ones that use DevOps development practices and methodologies—deploy software 200 times more frequently than low performers, according to the 2016 State of DevOps Report. The sheer volume of software development that DevOps makes possible makes it uncannily intuitive to add secure coding practices without slowing deployments. “The move to CI/CD as part of the agile development process leverages automation in what used to be a manual process, which adds incredible speed. Integrating security tools into that pipeline is now much easier than coordinating across multiple manual steps, involving multiple engineers,” says Kail.

With the extreme drought of cyber security engineers, which the industry expects to continue if not broaden, the automation that is native to DevOps is critical to increasing and enforcing secure coding practices, if the industry is going to do it at all, says Kail.

DevOps overturns objections to secure coding

Objections to instituting secure coding practices have included disagreement over the need for it and how to apply it as well as added costs, slowing development, and postponing release dates.

When enterprises start to implement DevOps, they acquire a more holistic view of what goes into software delivery; they can then ask where the risks exist and how to mitigate those during development rather than later on, says Josh Atwell, co-author, DevOps for VMware Administrators.

As DevOps grows in popularity, overshadowing other development methodologies due to its competitive and cost-saving advantages, the security industry should take opportunity, preparing to immediately inform and propel best practices in secure coding into the DevOps pipeline. “DevOps, and the implementation of a functional framework, can permit security professionals to provide specific security functions to apply in the code and during testing,” says Atwell.

[ MORE ON CSO: Does DevOps hurt or help security? ]

DevOps ultimately creates savings and speeds development through efficiencies and automation, multiplies the number of releases possible in the same time frame, and creates new revenues through competitive advantage.

“Make It So, Number One”

Tom Stiehm, CTO, Coveros, suggests methods for driving secure coding practices deep into the heart of DevOps, including:

• Add as many security settings, as much scanning and analysis to software build pipelines as possible, whether by simply adding a few open source tools to the pipeline or by taking more complex steps.
• Make data collection and automated testing as easy as possible for the team to use while ensuring that leveraging the test results is equally within reach.
• Work with the open source tools that do scanning and analysis to improve associated rules and capabilities.
• Champion those security tools in the build pipeline and help software delivery teams understand the value of improved security.

“By employing secure coding processes throughout the application delivery lifecycle, shifting automated testing to earlier in the development process, and increasing opportunities to find and fix security issues, everyone benefits,” says Berkes.

Prose on probabilities

Whether the industry will leverage DevOps to inject secure coding remains a mystery with only time completing the tale. “Improved implementation of secure coding and security practices into the software development lifecycle certainly has the potential for easier adoption in a DevOps ecosystem,” says Atwell. Still, as with any new disruptive technological change, some enterprises will experience costly lessons at the outset, and many will have to find their own path to DevOps tranquility due to specialized industry vertical business requirements and market opportunities that are unique to each organization.