How DevOps Drives InfoSec

[article]

In his Behaviorally Speaking series, Bob Aiello discusses hands-on software configuration management best practices within the context of organizational and group behavior.

Summary:
While DevOps is typically thought of as being the relationship and interaction between development and operations, the truth is that DevOps impacts QA, testing, and—most importantly—information security (InfoSec). DevOps is, above all else, a set of principles and practices tailored to improve communication between all stakeholders, of which InfoSec is a key part. This article will help you integrate your InfoSec into DevOps.

While DevOps is typically thought of as being the relationship and interaction between development and operations, the truth is that DevOps impacts QA, testing, and—most importantly—information security (InfoSec). DevOps is, above all else, a set of principles and practices tailored to improve communication between all stakeholders, of which InfoSec is a key part. This article will help you integrate your InfoSec into DevOps.

Information security is responsible for establishing policies that help ensure a secure environment; to maintain this secure environment—known as the trusted base—InfoSec includes a set of practices that help maintain a secure environment. The completely secure environment is known as the trusted base. The National Institute of Standards and Technology (NIST) publishes a series of standards, including the Guide for Security-Focused Configuration Management of Information Systems (NIST 800-128). There are several other security related standards that also impact configuration and release management, but the interesting fact is that information security and the NIST-related standards actually depend upon configuration management (CM).

Configuration management best practices are described in industry standards, including the IEEE 828, EIA 649, and ISO 10007, along with frameworks such as CMMI, Cobit, and ITIL. The security standards include the NIST and ISO 27000 family of standards and they all reference and depend upon the aforementioned configuration management standards and frameworks. InfoSec could not possibly be effective without CM, and we increasingly see that DevOps facilitates InfoSec too. To understand the real-life application of these standards and frameworks, we need only examine how application code is built, packaged, and deployed.

DevOps helps us ensure that we know exactly what configuration items (CIs) need to be built and that we use the correct source code baselines to build them. These best practices, based upon industry standards and frameworks, enable us to build fully verifiable CIs and to embed immutable version IDs as part of the automated build procedure. Immutable version IDs are essential for conducting a physical configuration audit which an essential function to comply with audit and regulatory requirements. InfoSec also relies upon the configuration audit to verify that the correct configuration items were built and deployed as planned.

Release packaging is also a key aspect of this process. Many build tools, such as Ant, Maven, and Make, provide routines to automate the creation of release packages, like Java JARs, WARs, and EARs. These automated procedures also enable you to create a manifest that contains essential information about the configuration items in the container and the release package itself. Another important best practice in the use of cryptography to ensure the integrity of the release package and its contents.

If you have ever downloaded software from the Internet then you have likely come across packages that have been signed and verified using cryptographic hashes, such as MAC-SHA1 and MD5. Cryptographic hashes can be used to ensure that the authenticity of the source or what is known as non-repudiation. They also can be used to verify that the package has not been tampered with itself. Cryptography can help by maintaining secure baselines and alert authorities to unauthorized changes. These practices enable you to create what is known as the trusted base.

The trusted base is the secure and verifiable runtime environment built using these security-focused best practices that ensure that you know exactly what CIs were built using the correct source code baseline in the build itself. There have been recent incidents where banks, exchanges and other financial institutions have suffered serious system glitches because of security issues including attacks by hackers. These incidents highlight the need for robust configuration management best practices including DevOps that should start early in the development process. DevOps focuses on implementing automated application build, package, and deployment for development, QA, integration, pre-production, and production deployments. In all of these situations, testing is a must have.

About the author

Bob  Aiello's picture Bob Aiello

Technical Editor of CM Crossroads and author of Configuration Management Best Practices: Practical Methods that Work in the Real World, Bob Aiello is a consultant and software engineer specializing in software process improvement, including software configuration and release management. He has more than twenty-five years of experience as a technical manager at top New York City financial services firms, where he held company-wide responsibility for configuration management. He is vice chair of the IEEE 828 Standards Working Group on CM Planning and a member of the IEEE Software and Systems Engineering Standards Committee (S2ESC) Management Board. Contact Bob at Bob.Aiello@ieee.org, via Linkedin linkedin.com/in/BobAiello, or visit cmbestpractices.com.

AgileConnection is one of the growing communities of the TechWell network.

Featuring fresh, insightful stories, TechWell.com is the place to go for what is happening in software development and delivery.  Join the conversation now!

Upcoming Events

Nov 09
Nov 09
Apr 13
May 03