Loading News, please wait...

Why Security and DevOps Go Hand in Hand

Why Security and DevOps Go Hand in Hand

Imagine a six-lane highway suddenly merging into one lane. If there are enough cars it results in chaos, traffic jams, accidents, frustration, and at worst fully stops traffic. This is what a distributed denial-of-service (DDoS) security attack does to a server.

Security attacks, like a DDoS attack, occur when multiple often compromised, systems flood the bandwidth or resources of a targeted system, usually one or more web servers. We may never know all the security breaches in the confusion caused by broad scale attacks, but security breaches can be very damaging and expensive for companies. The 2016 Cost of Data Breach Study from the Ponemon Institute shows that the average cost per data breach has globally increased 29 percent since 2013. If you have a breach affecting 10,000 records the cost of remediation would be over $1.5 million.

DDoS attacks made headlines in 2017 by interrupting many popular services like Twitter and Spotify and have thrown the security of our interconnected devices and systems into focus. Time-to-market and the flexibility to predict and react to rapid technological and cultural changes have driven a need for rapid and agile software development giving rise to new DevOps best practices. DevOps is a set of practices that include automating processes between software development, IT teams and end users, allowing organizations to build, test, and release software faster and more reliably. So, does DevOps help or hinder the requirement for more focus to be placed on security?

In traditional software development environments, security testing is usually carried out at, or near the end of the software development cycle. In many cases, security testing is limited to scans of the infrastructure which can leave potential vulnerabilities in the code exposed for exploitation. Development teams are more frequently incorporating secure coding practices and some code-level security analysis but rarely achieve a comprehensive security approach from start to finish and into maintenance. These approaches, along with many others not mentioned here, make security in today’s rapid pace of technology change unsustainable and high risk. In DevOps, continuous integration and continuous deployment inclusive of automated testing that includes comprehensive, code and system level analysis make the rapid pace of technology change sustainable. We argue that it is far too difficult for the typical approaches to keep pace and be as effective as an end to end approach to building and sustaining secure applications through the practical application of DevOps principles and best practices.

Embedding security into the software development cycle from the start has become critically important. Although opinion is divided when it comes to DevOps, the 2016 State of DevOps Report from Puppet provides evidence to show that high performing software development teams spend 50 percent less time remediating security issues, validated again in the 2017 report.

Less time is spent on security issues as the teams are providing continual input during the design of the application, to include during software demos which also allows time to develop pre-approved, easy-to-consume libraries, packages, toolchains and processes for developers and IT operations to use in their work.

Many are concerned that the speed at which technology is moving at, has been at the expense of good security— making it an afterthought. But we believe this is a pessimistic view.

The SANS Institute report, Continuous Security: Implementing the Critical Controls in a DevOps Environment, highlights challenges around auditing the infrastructure and end-user devices in a cloud environment that is provided by a third party. However, third parties take a positive view of developments in tools for tracking cloud-based assets and provide pointers around using APIs and Vendor Cloud Portals to provide audit assurance.

New, open-source tools to automate security testing are coming to market under the support of OWASP (The Open Web Applications Security Project) and, as the Puppet and SANS reports demonstrate, integrating security teams and processes into DevOps from the beginning has significant advantages.

At Three Wire, we operate with the understanding that DevOps helps the focus on security. This includes involving our security teams at all stages in the development cycle and integrating security testing tools in an automated test and development environment. We also include an emphasis on developing, sharing and evolving secure coding practices. We wholeheartedly believe DevOps is inextricably linked with security and that good DevOps-based development requires secure coding practices and automated security testing. To learn more about Three Wire and our work with DevOps visit https://www.threewiresys.com/what-we-do/application-development.

Agile Application Development and the Advisor Outcomes Platform

Three Wire Systems, VetAdvisor’s parent company, has established an Agile software development division – a highly skilled, cross-functional team with extensive experience in large scale (500,000+ user), enterprise-level applications. Three Wire develops “products with a purpose” and currently supports applications custom-built for Department of Defense (DoD) Family Programs serving service members, veterans, and their families. In fact, VetAdvisor itself is run on the Advisor Outcomes Plaform, an Open Source Software (OSS) case management system.

Three Wire’s Agile development practice and culture were recently reaffirmed when we were selected to be a part of the 18F Agile GSA BPA. 18F is a GSA consultant that, along with the US Digital Services (USDS), is attempting to revolutionize the way the Government purchases software. 18F’s mission is to bring private sector standards into public sector projects, with specific focus on Agile methodologies, rapid, iterative development, human centered design, and end-user research which results in robust, easy-to-use applications that fit today’s larger workflows.

Three Wire was selected by completing three prototypes in a time-boxed 36-hour delivery cycle. Sprints were split into 6 and 12 hours, and a highly Agile, cross-functional team produced prototypes using OpenFDA data. Only 16 companies were awarded a spot on the BPA. The Agile GSA BPS allows Three Wire an exclusive chance to bid on designated Agile projects.

Three Wire and VetAdvisor will continue to support service members, veterans, and their families though Agile development, OSS platforms, and cloud-based web services. To learn more about Three Wire’s Agile practice, OSS, and cloud hosting capabilities, and about our past performance for DoD Family Programs, click here to download the Three Wire Agile Application Development Solution Brief.

 

Welcome, Xtendable Customers!

Who Supports my Xtendable Server?

Xtendable Server is a .NET open standards modular development platform that once provided cost effective design, deployment, and hosting for complete end-to-end web systems. Xtendable Server came with pre-tested core modules that allowed developers to build applications that were cost effective and could be implemented quickly. Xtendable Server is still owned by DefenseWeb and licensed on a “software as a service” (SAAS) basis, as well as for hosting by the customers in their own environments.

In January of 2014 DefenseWeb Technologies gave notice to its clients that it was moving away from the Federal IT market and had selected Three Wire Systems and its subsidiary VetAdvisor, LLC to be the sole supporter of Xtendable Server. Today Three Wire and VetAdvisor support more than a dozen DoD clients with their web-based applications built on Xtendable Server.

We are committed to providing uninterrupted excellence in service to current Xtendable Server customers. In fact, the government recently cited Three Wire as the sole source capable of continued Xtendable maintenance.

Options for Xtendable Customers

We understand there will be a need down the road for a new platform to replace the Xtendable Server and we are developing an innovative and cost-effective Open Source solution that will meet the future needs of current Xtendable Server customers. Click here to download a white paper where we explore options for Xtendable customers looking to transition to a new platform and provide a glimpse at our own strategy of combining the best of breed Open Source to create a completely new offering especially for Xtenable customers.

Be sure to check back for upcoming white papers describing our new platform.

Three Wire/VetAdvisor Sponsor 2014 Face of America Ride

World T.E.A.M. Sports‘ April 25-27, 2014 Face of America ride will travel 110 miles from the Pentagon in Arlington, Virginia to the historic Civil War battlefields of Gettysburg, Pennsylvania.

Presented by Capital One Bank and sponsored by Three Wire Systems, the Face of America honors the men and women who were wounded or disabled while in service to their nation. Participants include many disabled veterans, along with currently active military and retired military. Active duty service and emergency response men and women also join hundreds of able-bodied citizens who ride together.

It’s not simply a bike ride, it’s one of the largest annual non-competitive bicycle rides in the Washington, D.C. region. With nearly 600 riders, it is an opportunity to share stories and build camaraderie while honoring America’s disabled veterans and the American spirit.

With many returning riders each year, this inspiring event has a limited number of entries. Register today to join our team on April 25.

National Veterans Job Retention Survey FAQ

The Institute for Veterans and Military Families at Syracuse University and VetAdvisor have launched our national Veterans Job Retention Survey, and we’re hoping all interested veterans will participate. We’ve put together some FAQ to help better understand the reasons why we’ve launched the survey and how participation will help us better serve veterans.

 

  • Where do I take the survey? How long will it be open?

◦      The survey, which can be found at www.retainingvets.org, will be open until we get a statistically significant number of responses. We are hoping to get 5,000 veterans to take the survey.

 

  • What is the target population for the survey?

◦      The target response population for this survey is both current military service members and veterans over the age of 18, so that we can assess both the transition planning of current service members and the experiences of veterans who have already transitioned in finding and maintaining employment after service.

 

  • Do I have to complete the survey in one sitting?

◦      It is recommended that you complete the survey in one sitting, as it is anonymous and the survey won’t record or remember your responses until the end when you submit your answers.

 

  • Are the data confidential?

◦      Yes! All data collected from individuals are confidential and will never be released with any identifying information attached.

 

  • Are the data secure?

◦      Yes! Individuals that submit their information can be assured that the data are secure. Only authorized research personnel have access to the data on the Web-based survey. In addition, a personalized ID and password are needed to access the Web-based survey.

 

  • What if I don’t know an answer to a question?

◦      There are no right or wrong answers, as many of the questions are asking about your personal experience. We just need your honest answers, and please be as accurate as possible.

 

  • What kinds of questions will the Veterans Job Retention Survey ask?

◦      The survey will ask general demographics questions, as well as questions about veteran status, employment status, the number of jobs held after service, industry and job types to compare data across groups of veterans.

 

  • What is job retention? Why does it matter?

◦      With hiring veterans in the national spotlight, it’s important to ensure veterans are able to both find and maintain employment after service. If we can better understand the factors that go into why veterans stay or leave their first job, we can help employers better retain veterans and their unique skills and experiences.

 

  • Why the focus on a veterans’ first job after leaving the military?

◦      Anecdotal evidence indicates that many veterans do not stay long at their first job after separation. We’re interested in gathering data to support (or refute) that evidence, and to better understand the causes that lead to this phenomena.

  • When will the results be available?

◦      The results of the Veteran’s Job Retention Survey will be available by 2014, after the research team completes data analysis and the creation of a research report detailing the results.

 

  • What will we be able to learn from the results?

◦      The results of this survey will provide important insights into the employment experiences of veterans after military service, including how many job they have, which industries they have found long-term employment in, and how long veterans stay at their first jobs after service. These findings have significant implications for the career trajectories of veterans after service and more information on this topic can support the implementation of policies and programs designed to increase veterans’ post-service career success.

 

  • Can I take the survey more than once?

◦      We request that you do not take the survey more than once, as this will negatively impact the accuracy of our study results. In addition, the online data collection software that we use, Qualtrics, will remember your IP address so you should not be able to complete multiple surveys.

 

  • Can I take the survey on a mobile device or tablet?

◦      It is recommended that you complete the survey on a computer, especially since accessing the survey may use part of your data plan if you access it using a mobile device.