My brain's on fire about devops, having just got back from Devopsdays. Devops is starting to have the same kind of impact on application and system operations as Agile has had on software development. Although only a small number of people at a few companies are really doing devops, it is getting a lot of attention, because they are getting impressive results. Devops is the most exciting thing to happen in operations for a long time.
What's interesting from an appsec perspective, is that devops is trying to solve some of the same problems as appsec. Both communities are trying to get developers and operations working together to make systems safer and more reliable and more resilient. To get developers to take operations problems and requirements (including security and reliability and resilience and operations transparency) seriously, and to share responsibility for making systems work in production.
But the way that devops is trying to solve these problems is very different.
Appsec has not come to terms with Agile development. There's still too much emphasis on waterfall control gates and still too much push back from appsec experts who don't believe that Agile teams can build secure software.
This isn't a problem in devops. Devops doesn't try to resist the prime directive of development — to get software out the door to customers as quickly and efficiently as possible. Devops embraces speed and rapid cycling. If anything, devops accelerates the pace of development and takes it to extremes, through practices like Continuous Deployment. Devops simplifies and streamlines release and deployment, in some cases even giving developers self-service capabilities, so that developers can deliver to production faster. And it provides feedback loops from operations back to development so that developers can understand more about production and share responsibility for making things work.
Devops takes an iterative approach, relaying on constant feedback from production, with metrics and monitoring and alerting built into systems to catch problems early. In devops environments they expect people to make mistakes, and for things to go wrong in production. So they make sure to prepare and deal with these problems as quickly and efficiently as possible. When something goes badly wrong, people get together and learn from post mortem analysis, to understand what went wrong and why and what they should do to prevent problems like this in the future. They don't expect to solve everything upfront once and perfectly. They understand that the problems, and the answers, are always changing.
One of the core strengths of devops is the willingness of people to share so much of their experience so openly and honestly. At every devops forum you hear people sharing their success and failures, sharing lessons learned, sharing post mortem results. They even share the platform and management technology that they use by open sourcing it.
Obviously in appsec there are limits to how much people should be and can be transparent, and obvious risks in disclosing weaknesses to potential attackers and increased exposure to liabilities. But Microsoft and now companies like Adobe and others are helping us all understand how to build better and more secure software by sharing details of their problems and their appsec programs. We need more companies to do this so that we can all learn from real people solving real problems.
<h2>Appsec in Devops</h2>
Now we are starting to learn more about how appsec can be integrated into devops. Nick Galbreath and Zane Lackey have done a great job of explaining how Etsy tries to build and continuously deploy secure software, tying security into development, configuration management, release and deployment, measurement and monitoring. Security becomes another problem for ops and development to work on together, in the same iterative and collaborative way.
At Devopsdays, James Wickett talked more about how security needs to be built into devops, and introduced a new security testing framework called gauntlt which can be wired into the continuous integration/delivery/deployment pipeline to automatically run the system through a set of security tests using tools like w3af, metasploit, sqlmap, nessus, nmap, dirbuster and different fuzzers. As more tools and frameworks like this come out, making security testing easier and more efficient, we'll be able to move away from point-in-time pen testing and more towards continuous security checking as part of every check-in or release.
<h2>Breaking down Barriers</h2>
The most important thing is that Devops has found a way to break down barriers between operations and development — bridging two very different worlds.
In devops, operations and developers not only share the same goals, they work on many of the same problems together, and they do this using the same tools and in the same iterative and incremental way. Many of these problems are as difficult and intractable and frustrating as the problems that appsec faces today. But they've shown a way to get them solved.
The appsec community needs to get more actively engaged with these people, learn from them and build on what they are doing. According to James Wickett, there's going to be a Devops track at OWASP Appsec USA this year.
I can't wait.