Share
the future… it probably wont look like this (source)

Continuous Delivery meets Security and magical things happen. It’s in this brave new world we continue to break down the silos that divide us with real pragmatism. Aligning your security efforts with the Software Supply Chain and your CI/CD efforts might be the best option for the future of our industry. Don’t believe me? Read on!

Security Is Stale

Security is a largely unchanged area in IT over the last 10 years and is ripe for innovation. The industry is changing around us and we are covering this transformation in a 4-part series we have titled the Future of DevOps and Security—this article is the third in the series. (See part 1 here, See part 2 here)

[n.b. If you follow our Medium publication Signal Sciences Labs then you should get updates when we release the next article in the series.]

This article is focused on a presentation made by Shannon Lietz, Director of Security at Intuit. She recently gave an excellent talk on CI and Security at DevOps Days Austin and she encapsulated some of the current trends and thinking that is happening industry-wide. If you aren’t already making similar changes in your organization, then this is a good picture of what your life will be like in the next 2–3 years.

It all started with DevOps

Intuit started its journey with DevOps about three years ago, and Shannon worked to bring the Security team along for the journey. Quickly they realized that security has some fundamental gaps that need to be addressed from staffing ratios to integration into the delivery flow of software.

As we have seen industry-wide, security tends to:

  • Put up roadblocks to software releases
  • Enforce a singular, inflexible policy for software development
  • Be at the end of the lifecycle and unable to make changes in design, build, or even operations

Fast-flow Security

The traditional methods won’t work in a fast-flow, rapid-cycle, DevOps organization. In reference to the gating functions we often put in place for security, Shannon noted:

If you have something thats anti-Deming, then it probably doesn’t fit in DevOps.

Instead we have to see security as a function thats both transparent (doesn’t inhibit flow) and that creates a feedback loop (instead of a gate). This reworks our traditional model for security. To further exhibit this, take a look at Shannon’s slide on the Secure Software Supply Chain.

Secure Software Supply Chain presented by Shannon Leitz at DevOps Days Austin 2016.

It’s important to note that the feedback happens not just earlier but more often. This is not just a task of move your gates to the left—it is a process of adding feedback to every stage.

Security Feedback when in Design

There is a big shortage in InfoSec people in the industry and using an “embedded security person on each team” model is going to be a tough proposition. Industry-wide there is no way we could meet the staffing needs. This means that security must become a “Peanut Butter Function” wherein security is spread across all teams and encourages security champions to drive change. (I mean who doesn’t like peanut butter.) In an effort to spread security thinking, Shannon presented this great Maslow Pyramid.

This naturally leads into security testing in build, deploy and runtime.

Continuous Security Testing (and Monitoring)

Traditionally we have thought of security in terms of static code analysis at the end of development or in terms of hiring a testing expert to do an annual test. Sounds anti-Deming doesn’t it? What if instead you did testing on every code commit? What if you added visualization to your stack at runtime to see where anomalies are happening and if you are currently under attack?

Intuit’s model for Security Testing

Your stack needs testing or monitoring at all these different portions. From static code analysis, linting, and dependency checking to runtime evaluation of anomalies and infrastructure changes, we must change how we do security. Each of these boxes represents a place to add value from a security perspective.

Summary

We are moving fast as an industry and by breaking up security and chartering your team to add in feedback loops in the software delivery pipeline, you will see enormous gains. Intuit it is doing it, maybe you should too.

Here’s the full video of Shannon’s talk:

 

This article is Part 3 of the Future of DevOps and Security Series. (See part 1 here, See part 2 here)

See you soon, but please Keep in Touch

Follow our Medium publication Signal Sciences Labs to get updates when we release the next part of the Future of DevOps and Security Series.


Thanks for reading this article. If you enjoyed it please let us know by clicking that little heart below.

At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Our NGWAF was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.