DevOps needs a security antitoxins injection

Texan virtualisation and cloud trends analyst operation outfit TVP Strategy thinks that DevOps is failing to mitigate security flaws in code quality. The firm comes to this ‘finding’ as a result of research into Agile cloud development architectures and processes.

The firm claims to be spending research time on investigating how to add automated security to Continuous Integration (CI) and deployment without essentially changing what developers do, thereby (in theory) regaining some level of code quality and potentially improving DevOps.

TVP Strategy says that its research provides ‘a reference architecture’ that enables businesses to retain a grasp on code quality by advising on steps for maintaining code security.

DevOps’ heinous egregious crime

“In many cases, we have observed that DevOps is egregious at identifying security flaws in its penchant for rapidly releasing code,” said Edward L. Haletky, CEO and principal analyst at TVP Strategy.

TVP Strategy has worked with DevOps domain experts, such as Splunk’s chief technology advocate Andi Mann to peer review its research to ensure it meets the demands of both the business and development functions.

Splunk flunks junk out the DevOps trunk

“While DevOps helps drive agility, velocity and more, it is often too easy for DevOps teams to overlook application security. So, I am excited that this research provides pragmatic recommendations on using data analytics to help ensure code quality and application security,” stated Mann.

The research discusses four key areas:

Code quality metrics – Measuring the adherence of code to security, performance, and compliance policies using automated static and dynamic processes.

Single pool of data – The business interprets the same data differently than development does, thus creating a dichotomy between development and operations. TVP Strategy suggests adopting a methodology that provides the same view in order to enable the same interpretation, therefore removing “finger pointing”.

Breach detection – Knowing all the decisions made to push out a code change makes it possible to add data on these decisions to breach detection, aiding efforts to determine exactly what changed to allow the breach. This architecture shows where to place logging to capture these decisions, both human and machine.

The cost to businesses of security flaws, such as API leakage – These costs can result in significant losses for businesses. The architecture shows how to feed costs and threats into automated continuous analytics

The compilation of research is ongoing, but it has already been the subject of a BrighTALK webcast entitled Securely Implementing Cloud Native Applications at the link shown here.