How DevOps and security teams can get along better
Are we stuck in a rut?
DevOps – Agile software development has been with us for nearly two decades since the original Manifesto was published. Software development and IT teams all strive for better software that responds to customer needs, broadly in line with the principles of agile. However, there are still problems that exist around the processes and politics of software.
DevOps can help here, with teams collaborating on how to get software out faster and more efficiently. Yet for IT security teams, the rise of DevOps has led to problems with managing security and risk too.
I am reminded of Stealers Wheel’s Stuck in the Middle With You, where the singer is in the middle and surrounded by “Clowns to the left of me / Jokers to the right.” For DevOps and security teams that want to improve their approaches, how can they avoid being “stuck in the middle” and instead stick to the right processes in the future?
Building better processes across teams
One of the biggest issues for IT security teams is getting involved early enough in the development process. For many, security is something that gets applied once the applications have been built and are moving into production. However, this is an old fashioned approach that is held over from the days when development took place in waterfall phases and applications were held behind strong perimeter security implementations.
Today, almost all software will include some elements of cloud, API integration, or third party code. It has become easier to mix software components to create new services rather than develop from scratch. Indeed, any team that tries to implement their own cryptography or security rather than using off-the-shelf products will create massive problems for themselves over time. Combining best-in-class services, open source components, and internal code can deliver better results faster.
However, the first issue in this approach is around visibility — with so many parts involved in each application, keeping each one up to date and secure is a Sisyphean task that never ends. For those using containers to run microservices-based applications, this can be even harder. As an example, containers can be designed to exist for as long as there is demand for the service, and then be turned off and ‘destroyed’ once those demand levels drop. While the application instance is running, the components will exist. It’s at this point that they are vulnerable.
Containers are pulled together from repositories that store the images until they are needed. These images can be developed internally or used from public libraries; either way, they have to be updated and kept current. If this is not done regularly, then a supposedly “new” container will be created with any faults included.
For any cloud-based application, getting accurate information on what is running at any point in time should be a necessary step. For IT security teams, this data should provide them with insight into what the real risks around any service are while developers can use this data to get a real handle on their application instances for performance discussions.
The second area where this information can be essential is around tracking responsibility for those assets over time. When applications run in the cloud, they will be on another company’s infrastructure — that organization may provide everything to run the service or let developers set up and run their own instances on top of the base cloud infrastructure.
This article originally appeared on thenextweb.com To read the full article and see the images, click here.
Nastel Technologies uses machine learning to detect anomalies, behavior and sentiment, accelerate decisions, satisfy customers, innovate continuously. To answer business-centric questions and provide actionable guidance for decision-makers, Nastel’s AutoPilot® for Analytics fuses:
- Advanced predictive anomaly detection, Bayesian Classification and other machine learning algorithms
- Raw information handling and analytics speed
- End-to-end business transaction tracking that spans technologies, tiers, and organizations
- Intuitive, easy-to-use data visualizations and dashboards