Organizations can strengthen software security through an approach to development and deployment that unites developers and IT operations staff, according to speakers in a recent panel at RSA Conference 2013. Dark Reading reported that security experts at the event were excited by the possibilities this methodology, known as DevOps, unlocks. DevOps increases the pace of deployment, but, by building more frequent source code analysis into application rollouts, it can improve application security at the same time.
Production environments in which organizations are expected to create higher-quality code faster with less time for QA are becoming common, making DevOps an increasingly popular approach, a Dr. Dobbs article explained. The site noted that DevOps gives developers a better sense of the overall shape of a project, more ownership of the code and a deeper understanding of how their code performs in actual user environments. As a result of more proactive monitoring, developers have fewer issues to address later in the rollout process. Most notably, according to speakers at RSA Conference, this proactive approach allows security teams to insert themselves into the coding process.
"The great thing is that all of the tools that you use to enable security layers right on top of DevOps," Nick Galbreath, vice president of engineering for IPONWEB, said, according to Dark Reading. "Having these tools that developers in operations use together to make things to go faster is just a great way for you to get your [security] job done."
More code requires more automation
A DevOps approach has allowed web companies such as Netflix and Facebook to handle as many as 23,000 deployments a day while keeping security and stability issues to a minimum, according to Gene Kim, founder and former CEO of Tripwire. While having such a schedule can create challenges for change management, code review and other software security tasks, part of implementing a DevOps methodology involves increasing the use of automation and measurement, panelist David Mortman, chief security architect for enStratus, said. He noted that these two principles are part of the four fundamentals of DevOps, which also include instituting a cultural shift and increasing internal sharing.
"If you watch a lot of DevOps talks on the dev side, they talk about automating all of your unit tests and functional tests and integration tests," Mortman said, according to Dark Reading. "So one of the things I'm doing is working with one of our engineers to add security unit tests and functional tests to the code they're already writing. So that way every time someone gets code properly committed, it gets tested for all of these things [and] if someone broke something or potentially broke something … you find out immediately."
Kim explained that there is not time to do a thousand manual reviews a day. However, automated tools such as source code analysis software offer a way to continually review and correct mistakes. He noted that Twitter's developers and operations integrate security into their daily work by running checks every time they save their code, not just upon completion.
"Basically every time a developer hits save it runs static code analysis and they'll get an email that says you just wrote a piece of code that creates this vulnerability and here's how you fix it," he said, according to Dark Reading.
Such frequent testing also helps with developer education, Galbreath explained. Instead of asking developers to make fixes six months down the line when they've forgotten the intricacies of a specific piece of code, a DevOps approach with automated analysis gives feedback right away. Smaller batch deployments reduce the complexity of each rollout, too, minimizing the likelihood of security bugs. By bringing tools such as static analysis software into the coding process and using a DevOps methodology – even in just some parts of their organization – companies can begin to make security an ingrained part of development even while increasing the pace of deployment.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.