Imagine a six-lane highway suddenly merging into one lane. If there are enough cars it results in chaos, traffic jams, accidents, frustration, and at worst fully stops traffic. This is what a distributed denial-of-service (DDoS) security attack does to a server.
Security attacks, like a DDoS attack, occur when multiple often compromised, systems flood the bandwidth or resources of a targeted system, usually one or more web servers. We may never know all the security breaches in the confusion caused by broad scale attacks, but security breaches can be very damaging and expensive for companies. The 2016 Cost of Data Breach Study from the Ponemon Institute shows that the average cost per data breach has globally increased 29 percent since 2013. If you have a breach affecting 10,000 records the cost of remediation would be over $1.5 million.
DDoS attacks made headlines in 2017 by interrupting many popular services like Twitter and Spotify and have thrown the security of our interconnected devices and systems into focus. Time-to-market and the flexibility to predict and react to rapid technological and cultural changes have driven a need for rapid and agile software development giving rise to new DevOps best practices. DevOps is a set of practices that include automating processes between software development, IT teams and end users, allowing organizations to build, test, and release software faster and more reliably. So, does DevOps help or hinder the requirement for more focus to be placed on security?
In traditional software development environments, security testing is usually carried out at, or near the end of the software development cycle. In many cases, security testing is limited to scans of the infrastructure which can leave potential vulnerabilities in the code exposed for exploitation. Development teams are more frequently incorporating secure coding practices and some code-level security analysis but rarely achieve a comprehensive security approach from start to finish and into maintenance. These approaches, along with many others not mentioned here, make security in today’s rapid pace of technology change unsustainable and high risk. In DevOps, continuous integration and continuous deployment inclusive of automated testing that includes comprehensive, code and system level analysis make the rapid pace of technology change sustainable. We argue that it is far too difficult for the typical approaches to keep pace and be as effective as an end to end approach to building and sustaining secure applications through the practical application of DevOps principles and best practices.
Embedding security into the software development cycle from the start has become critically important. Although opinion is divided when it comes to DevOps, the 2016 State of DevOps Report from Puppet provides evidence to show that high performing software development teams spend 50 percent less time remediating security issues, validated again in the 2017 report.
Less time is spent on security issues as the teams are providing continual input during the design of the application, to include during software demos which also allows time to develop pre-approved, easy-to-consume libraries, packages, toolchains and processes for developers and IT operations to use in their work.
Many are concerned that the speed at which technology is moving at, has been at the expense of good security— making it an afterthought. But we believe this is a pessimistic view.
The SANS Institute report, Continuous Security: Implementing the Critical Controls in a DevOps Environment, highlights challenges around auditing the infrastructure and end-user devices in a cloud environment that is provided by a third party. However, third parties take a positive view of developments in tools for tracking cloud-based assets and provide pointers around using APIs and Vendor Cloud Portals to provide audit assurance.
New, open-source tools to automate security testing are coming to market under the support of OWASP (The Open Web Applications Security Project) and, as the Puppet and SANS reports demonstrate, integrating security teams and processes into DevOps from the beginning has significant advantages.
At Three Wire, we operate with the understanding that DevOps helps the focus on security. This includes involving our security teams at all stages in the development cycle and integrating security testing tools in an automated test and development environment. We also include an emphasis on developing, sharing and evolving secure coding practices. We wholeheartedly believe DevOps is inextricably linked with security and that good DevOps-based development requires secure coding practices and automated security testing. To learn more about Three Wire and our work with DevOps visit https://www.threewiresys.com/what-we-do/application-development.