The DevOps and security tribes need to come together


Written by

Security professionals need to “stop resisting the empathy that comes with teamwork” and embrace their colleagues and partners from the DevOps community, argues white hat hacker Josh Corman.

“The DevOps tribe is willing to give us a big gushy hug,” Corman said Friday at AppSecUSA 2016, the annual gathering of the Open Web Application Security Project — an online community of developers devoted to building more secure software.

DevOps is the management philosophy that combines IT development and IT operations and typically employs agile design methods to deploy new software iteratively in what critics deride as a “permanent beta.” Generally DevOps is seen as prioritizing flexibility, speed and time to market, and to be opposed to or derisive of security.

“The typical approach,” said one participant in a recent federal IT forum, to laughs of recognition, “is ‘We don’t need to have all this security risk management stuff, we don’t need to have cybersecurity, we need a solution now.'”

Corman made what was effectively a pitch to the security tribe to make peace with DevOps. OWASP is one of the oldest and most established volunteer security organizations that produces consensus open standards and develops best practices.

Corman said mutual misunderstanding between the two tribes was a matter of language as much as anything else: “You call it mitigation and patching; they call it unscheduled critical work.”

Either way, “It is time and effort doing something that adds nothing to the bottom line,” he said, referring to the time spent mitigating major vulnerabilities like Heartbleed.

Maintaining good security hygiene and following security best practices reduces the amount of time and effort required, Corman said, because it makes the whole application ecosystem more secure.

He said there were an average of 106 open source programs or software libraries incorporated into a typical app, and pointed out that a single vulnerability in one of them might be present throughout a whole sector via a piece of industry-standard software.

“Just one vulnerability in JBOSS [software allowed hackers to] shut down Hollywood Presbyterian Hospital. One vulnerability can do that and because our [software] hygiene is so poor, we have hundreds and hundreds more out there,” he said.

Only by improving software production practices and securing the software supply chain could DevOps achieve their goals, he said. And they were now seeing that clearly, hence the hug.

The security tribe had to stay true to its principles, though. “We have to raise the alarm without being alarmist,” he said.