Share
the future is here now

This is the fourth and final installment of the Future of DevOps and Security Series. Glad you made it!

In case you missed the previous portions of the series:

Where we are

Security is a largely unchanged area in IT over the last 10 years and is ripe for innovation. The industry is changing around us and we are seeing the first signs of this transformation. Security primarily faces the same challenges that operations faced 7–10 years ago.

  • High degree of burnout in the industry
  • Understaffed and inequitable hiring ratio
  • Found outside of the value stream
  • For the most part, unable to stop or triage problems

Part of this is our fault. Over the years we staffed for compliance and a hiring ratio of 100 developers to 10 operations to 1 security person was acceptable. That security team helped complete compliance duties and when there was spare time available, add in the latest security tooling to the mix. This was fine as we viewed the role largely as a way to assure compliant delivery of products and services—compliant not secure.

The Analogy to Operations

This way of thinking fosters a “throw it over-the-wall” type of approach and circa 2009, operations wasn’t much different. However, with the rise of DevOps, a transformation happened across the industry.

Changes started happening to software groups:

  • Treat Infrastructure as code (version controlled, testable, repeatable)
  • Continuously deliver and use a batch size of 1 change per delivery
  • Reduce cycle time (from initial idea to customer using it)
  • Do hard things more frequently
  • Performance as a first order objective

This all seems “normal” now but it was radical when it first arose in the industry. The DevOps movement might have just been viewed as another fad if the benefits didn’t show up in a big way.

It’s orders of magnitude better! A slide screencap with the results from the 2015 State of DevOps Report.

Security’s Future is Now

There are five key patterns happening in our industry that are helping security make the shift that operations has already made.

  • Change the culture of security
  • Security as code
  • Reduce vulnerability remediation cycle time
  • Move left in the delivery pipeline
  • Feedback loops in your runtime systems

Lets break these down.

Changing Culture of Security

I have written about the cultural problem of security several times, most notably here and here. We have to change the way we are functioning inside the organizations we strive to protect. I love this poster:

Security has to be an enabler, not a blocker — this is a cultural shift not a technology problem.

Security as Code

Another change we need to make is the codification of security. Security as code means that security tests live right along side our code just as we do with unit tests or more integration style tests. Tools like Gauntlt and Mittn help you do this, but you can get started simply by creating your own tests that attempt XSS, CSRF token testing scenarios, or SQLi. An easy idea to implement, is instead of receiving a PDF or powerpoint at the end of a vulnerability assessment or penetration test, ask for functioning tests.

Reduce Vulnerability Remediation Cycle Time

Vulnerabilities happen. In the old world, security teams do testing for vulnerabilities on a calendar annual cycle. In a continuous delivery model, this may mean thousands of releases go by before the next time testing is completed. Finding vulnerabilities late increases the mean time to remediation. Lots of factors go into this delay, one of which is that you are further away from the time someone wrote the code that has the vulnerability. Do whatever you can do to do testing early and more frequently. Part 3 of our series had some great tips on this: The Flow of Continuously Delivered Security.

Move Left in the Delivery Pipeline

Codifying security tests and moving testing to earlier in the development cycle are huge gains, however, we can’t forget to also move up the software supply chain. Third party components that we bake into our systems (hi there OpenSSL!) have vulnerabilities that flow downstream. Adding in feedback loops and automated component cataloging results in a big security win.

Feedback Loops in Runtime Systems

In your runtime systems, provide feedback loops to developers and operations that contains attack telemetry. Often, this level of detail is not distributed throughout the organization (only privy to the security team) or its not even available at all. Instead add integrations from your security tooling to your Chat Ops stack (Slack, HipChat, Jira, …) to message out security events. Turn attacks and anomalies into metrics that can be correlated across the organization. At Signal Sciences, this is one of the core values that we provide and you would be surprised how many useful things our customers find when adding in feedback loops from their web application security in runtime to the people who actually wrote the applications.

In Closing

The future is now, the changes are happening all around us and the security industry is uniquely positioned to add value. Over the next few months we will be exploring these themes on this blog:

  • Cultural change of security
  • Security as code
  • Reduce vulnerability remediation cycle time
  • Move left in the development pipeline
  • Feedback loops in your runtime systems

Please follow Signal Sciences Labs and stay in touch.


Previous articles in the Future of DevOps and Security Series

Part 1: The Next Frontier of DevOps: Security

Part 2: Avoiding the Dystopian Road in Software

Part 3: The Flow of Continuously Delivered Security


Thanks for reading this article. If you enjoyed it please let us know by clicking that little heart below.

At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Our NGWAF was built in response to our own frustrations of trying to use legacy WAFs while enabling business initiatives like DevOps, cloud adoption and continuous delivery. The Signal Sciences NGWAF works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.