Often found at the intersection of DevOps and security, creator of gauntlt and author of DevOps Fundamentals — a course on Lynda.com and LinkedIn Learning.
Seeing the Invisible
Seeing the invisible. When it happens in your personal life, it might be a sign you are running low on water or maybe you need to check in with your doctor (or priest!). However, in complex systems, whether human or technological, it becomes a crucial factor of success. In this article we will explore feedback loops, what they mean in DevOps and how Security can help the organization. Already read this part? Read part 2.
[n.b. I have never had the misfortune to work any where with those inspirational posters hung up in earnest—my only first-hand experience is the hilariously made demotivational posters often hung by my more sarcastic team members.]
Lets kick this one off with a good old inspirational quote.
Vision is the art of seeing what is invisible to others. — Jonathan Swift
Seeing is what feedback loops are all about.
Feedback Loops in Software
Feedback loops aren’t a new idea—they are almost so inherent, so human, that it feels odd to specifically call them out at times. Of course we need a feedback loop. Feedback loops come natural to us in our human relationships and even with the complex systems we interact with in our daily lives like our automobiles or indoor heating and cooling systems. In military strategy we have OODA (Observe, Orient, Decide, Act) loops, in the Lean Startup there is the Build-Measure-Learn cycle, yet we struggle in software. It is still common, though increasingly less so, to have software where users report outages before the staff knows about it.
Once you have shifted your thinking and processes to orient around a fast delivery cadence, you will quickly find yourself trying to adapt. It becomes even more important to have insight into what is going on in your rapidly-changing runtime environment. Since the early days of the DevOps movement, monitoring has been highly regarded and for good reason, you have to know what is going on to make improvements. This is also true for security—we need to know what is happening if to stage an appropriate defense. Earlier we said outages go unnoticed, but in regard to security it is an even more rampant problem where security events are more often than not being reported by the media before your staff knows about it.
A Defensive Thinking Approach
At the risk over-simplifying things, defense requires knowing answers to two first-order questions:
Am I currently being attacked right now?
What vector of attack is being attempted?
You could complicate the analysis with analyzing likelihood of success or determining the potential cost of compromise, however, these two approaches are second-order prediction models that most organizations, and the security industry at large, generally isn’t equipped to answer because of the lack of first-order data, specifically a limited insight into frequency and types of attacks. One of the most surprising things is that most organizations can’t even approximate an answer to either of these first-order questions.
In a DevOps context, there are three areas where security can add direct value as well as receive value from integration across the organization. Each of these areas can give you insight into the first-order questions and through instrumentation, can help you shift to a defensive thinking approach. The areas to evaluate are:
Logging and Auditing
… and that’s where are going to break this article. Talk about a cliff-hanger! Read Part 2 and be sure to subscribe to updates to our publication: Signal Sciences Labs.
Thanks for reading this article. If you enjoyed it please let us know.
At Signal Sciences we are building the industry’s first Next Generation Web Application Firewall (NGWAF). Signal Sciences works seamlessly across cloud, physical, and containerized infrastructure, providing security without breaking production traffic.