Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Is DevOps good or bad for security?

Mary Branscombe | March 11, 2016
Does DevOps give you better security through agility or make development and deployment too fast to secure?

Bing’s tool for signing binaries during deployment was also manual; both were rewritten, which took time and effort but also improved the tools. “It was the way they did things, but we don’t care how they do things,” says Miller firmly. “We’re not going to do this.”

Recovering fast, and adapting and iterating based on what you’ve learned, are as important as speed to DevOps and Miller dislikes the “fail fast” term. “I like learn fast, because I’m not trying to fail; I'm trying to succeed – but when I don't succeed I want to learn, and hopefully next time it comes around, we know how to do this better now and incrementally get better over time.”

“Putting a guardrail up on the highway allows you to go faster, not slower,” says Alan Sharp-Paul, co-founder of DevOps tool vendor Upguard. “With proper checks, you catch problems before they become showstoppers and security risks in production. And when it’s part of the automated workflow, the overhead is essentially nil.”

That’s what the figures in Puppet’s 2015 State of DevOps Report show as well: “High-performing IT organizations deploy 30x more frequently with 200x shorter lead times; they have 60x fewer failures and recover 168x faster.”

The Heartbleed bug in OpenSSL was a good demonstration of that, suggests Bittner. “People who had DevOps and better delivery pipelines were able to respond quickly and that got some attention in businesses; they were able to respond almost immediately and everyone else was scrambling. When a threat occurs, being able to respond quickly is the big differentiator.”

Miller views that as one of the benefits of DevOps. “Because CD emphasizes having a code review process, small check-ins and rapid mitigation come with it. If you can deploy four or five times a day, you can mitigate something within hours.”

The same applies to spotting breaches, says Sam Guckenheimer from Microsoft’s developer tools team. “With DevOps, you're worried about things like mean time to detect, mean time to remediate, how quickly can I find indicators of compromise. If something anomalous happens on a configuration, you have telemetry that helps you detect, and you keep improving your telemetry – so you get better detection, you get better at spotting indicators of compromise and you get better at remediation.”

Continuous deployment makes life harder for attackers in two ways, Guckenheimer explains. “If you're one of the bad guys what do you want? You want a static network with lots of snowflakes and lots of places to hide that aren't touched. And if someone detects you, you want to be able to spot the defensive action so you can take countermeasures.”

 

Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.