Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development

    SecTor: Why DevOps Is the Key to Security

    By
    Sean Michael Kerner
    -
    October 23, 2014
    Share
    Facebook
    Twitter
    Linkedin
      devops security

      TORONTO—For many organizations, the typical approach to implementing security is as a bolt-on feature after development. At the SecTor security conference in Toronto, Securosis CEO and analyst Rich Mogull explained why the emerging world of DevOps can radically remake how security is built into the software development and deployment process.

      “The problem is that by nature, security is often reactive,” Mogull said. “We don’t control our destiny and we have to secure new stuff all the time.”

      On top of security often being a reactive activity, Mogull commented that many IT organizations are averse to change, since their environments are already very complex. As such, he said that he’s aware of many organizations that want to update as little as possible, which leads to another set of problems. By not updating regularly, there is often a gap between deployed applications and those that developers are working on.

      The challenge of dealing with the gap between development and deployment is one that the emerging practice known as DevOps aims to solve. Mogull explained that DevOps is essentially the practice of overlapping development and operations into a cohesive and integrated process.

      Going a step further, Mogull suggests that DevOps also represents an opportunity for security to become part of the development and operations model. Using DevOps techniques, security testing can be built into the process that enables code to be pushed to production operations.

      “So if you make a change and it passes all the automated testing, the code can go into production,” Mogull said. “If something in the product fails, you can roll back to the last known good state.”

      In the DevOps model, code changes are not made on running production code, but rather in the developer piece of the pipeline. Mogull said that in the DevOps model everything is audited, tested and recorded before any code goes into production.

      “Some of the organizations I work with have actually disabled SSH access to their production servers,” Mogull said. “Why? Because it’s a security violation and you break the pipeline if you make changes on production servers.”

      Some of the advanced DevOps practitioners do not even patch their live production servers anymore. Instead, Mogull said that with DevOps, an entirely new platform can be pushed out when patches are needed, rather than patching a live, running platform. The new fully patched platform can be launched while the existing non-patched platform is still live, and then services can be migrated when ready.

      “You don’t patch any of your running servers; you create a new master image that all the instances run off of and then you just start shutting off non-patched instances,” Mogull said. “With DevOps, you don’t patch anymore; you just update in place.”

      Mogull added that with DevOps the basic fundamentals of security auditing and control don’t change. What does change is how security auditing is implemented in an organization. In the DevOps model, an application development environment is synchronized, consistent and automated. As such, there isn’t a gap between development and production.

      “No one ever makes a change on the live site, and all changes are made at the development end,” Mogull said. “It speeds up our deployment cycles, reduces error and improves business agility.”

      Although Mogull is very enthusiastic about embracing the DevOps model for security, he also understands why some professionals might be hesitant to use it. Since the DevOps model is highly automated, it requires security professionals to have what Mogull referred to as trustable security automation. Historically, Mogull said, security professionals have had to do many elements of security testing manually, but that no longer necessarily needs to be the case in the DevOps model.

      “The thing is that if we look at the level of security testing, DevOps is a security dream,” Mogull said. “This is our flying car. We have never had a better ability to embed security into our organizations.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Avatar
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×