TORONTO—For many organizations, the typical approach to implementing security is as a bolt-on feature after development. At the SecTor security conference in Toronto, Securosis CEO and analyst Rich Mogull explained why the emerging world of DevOps can radically remake how security is built into the software development and deployment process.
"The problem is that by nature, security is often reactive," Mogull said. "We don't control our destiny and we have to secure new stuff all the time."
On top of security often being a reactive activity, Mogull commented that many IT organizations are averse to change, since their environments are already very complex. As such, he said that he's aware of many organizations that want to update as little as possible, which leads to another set of problems. By not updating regularly, there is often a gap between deployed applications and those that developers are working on.
The challenge of dealing with the gap between development and deployment is one that the emerging practice known as DevOps aims to solve. Mogull explained that DevOps is essentially the practice of overlapping development and operations into a cohesive and integrated process.
Going a step further, Mogull suggests that DevOps also represents an opportunity for security to become part of the development and operations model. Using DevOps techniques, security testing can be built into the process that enables code to be pushed to production operations.
"So if you make a change and it passes all the automated testing, the code can go into production," Mogull said. "If something in the product fails, you can roll back to the last known good state."
In the DevOps model, code changes are not made on running production code, but rather in the developer piece of the pipeline. Mogull said that in the DevOps model everything is audited, tested and recorded before any code goes into production.
"Some of the organizations I work with have actually disabled SSH access to their production servers," Mogull said. "Why? Because it's a security violation and you break the pipeline if you make changes on production servers."
Some of the advanced DevOps practitioners do not even patch their live production servers anymore. Instead, Mogull said that with DevOps, an entirely new platform can be pushed out when patches are needed, rather than patching a live, running platform. The new fully patched platform can be launched while the existing non-patched platform is still live, and then services can be migrated when ready.
"You don't patch any of your running servers; you create a new master image that all the instances run off of and then you just start shutting off non-patched instances," Mogull said. "With DevOps, you don't patch anymore; you just update in place."
Mogull added that with DevOps the basic fundamentals of security auditing and control don't change. What does change is how security auditing is implemented in an organization. In the DevOps model, an application development environment is synchronized, consistent and automated. As such, there isn't a gap between development and production.
"No one ever makes a change on the live site, and all changes are made at the development end," Mogull said. "It speeds up our deployment cycles, reduces error and improves business agility."
Although Mogull is very enthusiastic about embracing the DevOps model for security, he also understands why some professionals might be hesitant to use it. Since the DevOps model is highly automated, it requires security professionals to have what Mogull referred to as trustable security automation. Historically, Mogull said, security professionals have had to do many elements of security testing manually, but that no longer necessarily needs to be the case in the DevOps model.
"The thing is that if we look at the level of security testing, DevOps is a security dream," Mogull said. "This is our flying car. We have never had a better ability to embed security into our organizations."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.