A term I have heard a lot about both this week at RSA Conference and in the past few months is that of DevOps, particularly related to security.
What is DevOps? According to wikipedia, DevOps is a software development method that stresses communication, collaboration (information sharing and web service usage), integration, automation and measurement of cooperation between software developers and other IT professionals. Emphasis is on the interdependence of software development, quality assurance and IT operations, with an aim produce software products and services on time, and to improve operations performance. It aims to maximise the predictability, efficiency, security and maintainability of operational processes.
So why does this matter now? Perhaps the big bugs of 2014 have put the fear into system administrators and developers that security finally needs to be considered, or failing that, they are tired of seeing the same old flaws in the OWASP top ten every year.
This week at RSA Conference in San Francisco, I attended a talk by David Mortman, chief security architect and distinguished engineer at Dell Software and Josh Corman CTO Sonatype and co-founder of thinktank “I am The Cavalry”, where they said that software in DevOps is moving to be faster with lower risk, and security is the driver.
Corman said: “You can introduce DevOps into your environment and think about headlines as everyone see cyber on the news. If you spend $80BN to protect credit cards and most major retailers are breached, so you have fought hard and it is not enough to work harder, but you need to work smarter as well. Motives matter, and you can find ways to do things faster and it is good for us as an industry.”
Corman said that when it came to the Heartbleed bug, most businesses spent their time determining what version of SSL were they running. “It becomes super important as it is about knowing what to patch and how developers are motivated – by time,” he said.
Mortman said that security has a culture of sharing and data analysis, and using tools and threat configurations to get better ideas of what the services are and to get a higher factor of confidence to know what is going on. He said: “Do not let technology and tools rule your decisions, let your decisions rule technology and tools. IT becomes our issue when availability ceases to happen.”
As I said at the start, DevOps is something I have heard plenty about recently. Mortman said that the purpose of DevOps is to make things simple as “more complex code is more vulnerable”.
On a recent edition of the podcast “Down the Security Rabbit hole”, Robert Hansen, vice president of WhiteHat Labs at WhiteHat Security said that the DevOps world where you remove the equation of the handling of your stuff – as it is harder to hire good network engineers if you are a small company – gives you a huge advantage, and the whole industry gets better and there is more consumption.
He said: I don’t think ever going to see a major increase in good security talent, although I do believe we will continue to see a rise in people who are barely getting by.”
I asked Hansen if he could expand on the comments, and he said that he didn’t think that we are changing the code nearly as quickly as fast as the code is becoming more vulnerable due to a great number of different factors in the ecosystem.
“It’s both because there are better guys doing security, and because it frees up resources to do both,” he said. “It takes a fraction of a head count to have someone host for you compared to having to do it yourself, and deal with the number of amps your rack is pulling from your 20 amp circuit and where backups go, and what sort of issues you’re seeing with one of your drives.
“These are just things modern companies don’t want to think about, regardless of whether they are real concerns or not. The more they can abstract those problems and write a check to avoid them the more they can focus on what they’re really good at.”
James Brown, director of cloud solutions architecture EMEA at Alert Logic, told me that when he was with Microsoft he did a lot around DevOps, as it allowed him to roll out a fully automated and scripted update to 1,000 servers, as it meant to deliver agility.
Is it all too good to be true? Is this level of skilled workers and automation really believable to be able to solve all of security’s problems overnight? Of course it would not, but as Mortman said: “The more complex the code, the harder it is to make changes without breaking things.”
Maybe it is about doing less and doing it better? Mortman said that it is better to make smaller changes where there are fewer chances of problems in a smaller set of code.
Corman said that complexity is the enemy of stability, but speed is an issue. The two presenters identified the five key challenges for security and DevOps as: instrument, be mean to your code, simplify, change management and empathy.
Is this the beginning of a new trend? There is nothing new about DevOps generally for 2015, but maybe this is about efficiency and just simply trying to do things better.