Believe It or Not, DevOps and Infosec Are a Perfect Culture Match

Sunday, October 14, 2012

Gene Kim

A1f4c2dd4be7f118911ec4e0df35aab1

These were the words uttered to me by a friend of mine, David Etue (@djetue).  I’ve known him for over a decade, but had no idea he was a DevOps fan.  That’s usually a safe assumption, since I’ve found that most of my fellow infosec peers are terrified of DevOps and the incredibly fast deploy rates associated with it.

(The seminal 2009 Allspaw and Hammond presentation talked about doing “ten deploys a day at Flickr” which was shocking back then.  These days, organization like Facebook and Amazon are doing hundreds or even thousands of deploys daily).

Suspicious of David’s answer, I asked him, “Why do you think DevOps is good for infosec?”

He quickly replied, “When you’re not doing security testing in the development and deployment pipeline, all sorts of bad things happen.”

David went on, “First, because developers don’t understand the security requirements, they have to rely on a security expert to do the code reviews. So at the end of their software release, they need to wait in line to get their testing completed, just when the deadline pressures are highest. So when the inevitable bunch of security vulnerabilities are found, there’s never enough time to fix them so late in the deployment process, etc…”

What David is describing are the classic problems associated with large batch sizes.  This is a term typically used in manufacturing processes, but the problems associated with large batch sizes apply to the IT value stream, as well:

  • Problems are found more slowly (slower feedback)
  • Problems are fixed more slowly and probably propagated (slower implementation of countermeasures)
  • Fewer problems can be fixed before deadlines (greater number of problems allowed to get into production code)

The opposite of large batch sizes, of course, is small batch sizes.  But more helpfully, the ideal state is “single piece flow”  (e.g., an assembly line where each work center has a batch size of one).  In the software world, this is called continuous delivery, which is a prerequisite for DevOps.

The high deployment rates typically associated with DevOps work streams will often put enormous pressure on QA and Infosec.  Consider the case where Development is doing ten deploys per day, while information security takes twelve weeks to complete a code review (e.g., eight week lead time due to the backlog of other reviews, and four weeks to execute the tests).  In this instance, there’s an obvious mismatch between the rate of code development and security code testing.

The good news for QA and Infosec is that when continual integration and release practices are in place, as David pointed out, there is very likely a culture of requiring continuous testing.   In other words, whenever code is checked in, automated tests are automatically run, and issues must be fixed right away, just as if a developer checked in code that didn’t compile.

By integrating automated security testing into the deployment pipeline, just as the functional and integration tests are, information security testing becomes part of the daily operations of Development.  As a result, security defects are found and fixed more quickly than ever.

Fast forward today to DevOps, where tools like Gauntlet are integrating security testing in the deployment pipeline.

As David said with certainty, “This is a very good thing for infosec. DevOps cares about operations and availability, as well as the integrity of the deployment pipeline.  This is the perfect cultural fit for infosec.”

Well said.

You can read more about the concept of batch sizes in DevOps context by my fellow “DevOps Cookbook” co-author Damon Edwards here. And if you want to learn about the “Top 11 Things You Need To Know About DevOps,” you can download it here.

Possibly Related Articles:
12421
Webappsec->General
Information Security
Testing Infosec Quality Assurance DevOps
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.