Reducing Software Vulnerabilities with DevOps

By CIOReview | Wednesday, September 21, 2016

DevOps is a fairly recent phenomenon that has taken the entire IT sector by storm. The term DevOps refers to a cultural shift that emphasizes collaboration and communication between software developers and Information Technology, while automating the process of software delivery and infrastructure changes. These practices when applied properly lead to faster rate of feature releases, but there’s also a downside to it, as they can introduce new software vulnerabilities.

Google Trends confirms that the popularity of the concept DevOps has seen a swing up North and is much in demand. It is not only eminent, but there is also a demand for DevOps, which is brought to light by traditional organizations shifting towards DevOps for cloud-based software developments. According to a Gartner report, “By the end of this year DevOps will evolve from a niche strategy put to use by large cloud providers to a more popular and mainstream strategy employed by 25 percent of Global 2000 organizations.”

As is the case that many software are vulnerable to attacks, yet companies spend the least amount of money to protect it from such attacks. If we go by some estimates, enterprises spend only $ 0.5 billion on software supply chain security, which seems to be peanuts as compared to the money spent on network security and data security. Companies are suddenly waking up to the DevOps reality and the difference it could make to an organization’s delivery capabilities. Organizations are gradually overcoming the barriers to successful its implementation and achieving some real benefits in terms of speed and efficiency. But there are some long, lingering issues with regard to security that need to be taken care of as soon as possible. With companies now looking to push for more changes more quickly, risks have increased exponentially, including integrating third-party software with known vulnerabilities, not being able to fix the security issues and poor configuration.

As DevOps continues to march ahead, not enough attention is being paid to security, which has led to the need of a more secure and rugged DevOps approach. With DevOps coming into the picture, the approach of delivery and testing has acquired a whole new dynamic look, with continuous delivery and testing of small sets of capabilities being delivered by an application delivery set up. It can be a great asset to security teams who can use this delivery approach in their favor to reduce risks by identifying delivery shortcomings early and mitigating it.

Security is all too critical to be an afterthought. It needs to become an integral part of any DevOps operation. IT security concerns have mounted in the recent times with reports of security breaches from around the globe, which has led to a greater emphasis on security and organizations are taking a second look at their existing security cover. One such case of security vulnerability is Heartbleed bug found in the TLS system used for corroborating webpages. Affected enterprises had to update their software and also had to revoke and replace all of their security credentials. Other such widespread security exposures were discovered in Bash and Apache Struts. This incident led to the introduction of ‘Cyber Supply Chain Management and Transparency Act’ in the Congress.

Dealing with Risks

There are many benefits when development and operations teams work together in tandem, so perhaps it’s time we applied the same logic to security and risk experts. They should work together in complete coordination with the other and identifying a security glitch at the very outset would save a lot of time and pain later. They can provide you the complete picture on how to set up alerts and improve response times.

One critical aspect of security is to embed your security concerns into your continuous delivery system. There is also a need to make small and fast improvements to security. A continuous automation of the system will give the security experts ample time to tackle other security concerns at the very outset.

Another important aspect is the effectiveness of the security measure. Enterprises should run penetration tests regularly to find out how well the processes stand up. One should also make sure that there is a clear redressal plan to eliminate any such vulnerability.

Adoption of the DevOps culture leads to a leaner, better, and more efficient delivery system. The security risks associated with this rapid and agile approach to software development and delivery are well documented and can be easily addressed. It’s not a Herculean task and enterprises shouldn’t overlook or ignore them. If the security aspects and risks are not handled properly, then it can lead to several roadblocks and issues in the near future.