Where to Integrate Security Practices on DevOps Platform

Where to Integrate Security Practices on DevOps Platform

Hasan Yasar (Software Engineering Institute, CMU, Pittsburgh, PA, USA) and Kiriakos Kontostathis (Software Engineering Institute, CMU, Pittsburgh, PA, USA)
Copyright: © 2016 |Pages: 12
DOI: 10.4018/IJSSE.2016100103
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

“Software security” often evokes negative feelings amongst software developers because this term is associated with additional programming effort, uncertainty and road blocker activity on rapid development and release cycles. The Secure DevOps movement attempts to combat the toxic environment surrounding software security by shifting the paradigm from following rules and guidelines to creatively determining solutions for tough security problems (Taschner, 2015). Secure software should be focused on a proactive approach that limits the attack surface and produces reliable software. Secure DevOps developers want their software to bend but not break, which means the software absorbs attacks and continues to function. The burgeoning concepts of DevOps include a number of concepts that can be applied to increase the security of developed applications. Applying these and other DevOps principles can have a big impact on creating an environment that is resilient and secure. Specifically, this paper clearly explains how to address security concerns in the early stages of the development lifecycle and leverage that knowledge throughout the SDLC.
Article Preview

1. Introduction

In the past, software security focused on anticipating where and how attacks would be leveraged on an application and putting up barriers to prevent those attacks. However, most attacks, especially sophisticated attacks, can't be anticipated, which means that fixes are bolted on as new vulnerabilities are discovered. The inability to anticipate attacks and lack of implementing security early in a project lifecycle is why there are often patches in response to 0-day vulnerabilities (Kongsli, 2006). This paper discusses ways to reverse this reactive nature of secure development and help teams to respond more quickly and more effectively to cyber incidents.

Developing a secure lifecycle requires the development team to focus on continuous integration, infrastructure as code, eliminating denial of service (DOS), and limiting the attack surface. These include adding automated security testing techniques such as fuzz testing, software penetration testing to the software development cycle or the system integration cycle. Other techniques include standardizing the integration cycle in order to reduce the possibility of faults and security concerns by implementing good security practices from the inception of the project, or “pushing security left” (Tomhave & Kenefick, 2014).

This paper focuses on how implementing security from the inception of a project greatly improves the overall security of the software being produced. It also discusses how implementing these pieces of security on a DevOps platform allows for rapid release cycles as well as secure software. These techniques provide developers, and other team members, a deeper understanding of what makes a truly secure application.

1.1 Problem Statement

It is very difficult to integrate security into the software development lifecycle because there is no time for manual penetration testing and audits. There is also no opportunity to put in control gates and perform extensive security reviews. These problems arise due to the velocity of change in the software lifecycle. The velocity of change increases due to rapid business changes (Liu, Y., L. Chengbo, and L. Wei), growing vulnerabilities, software complexity and dependencies on third-party libraries (i.e. open source modules). Organizations like Facebook and Etsy are delivering changes into production environment 50 or more times each day. Amazon has thousands of small engineering teams working independently and continuously deploying changes into various production environments. In 2014, Amazon deployed 50 million changes which equates to more than one deployment per second (Brigham & Liguori, 2015). This paper discusses how a development team can take measures early in the DevOps software development lifecycle to ensure the security of their piece of software.

3. Barriers To Incorporating Security Into The Sdlc

There are several barriers that face companies, development teams, etc. which make incorporating security into the SDLC difficult. The following sections discuss the most common barriers, which means that this list is not exhaustive.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017): 2 Released, 2 Forthcoming
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2015)
Volume 5: 4 Issues (2014)
Volume 4: 4 Issues (2013)
Volume 3: 4 Issues (2012)
Volume 2: 4 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing