How security can add value to DevOps

While cloud computing and agile development and management processes are shaking the very foundations of the traditional IT department, it’s important that organizations embrace these disciplines securely. With that in mind, we recently sat down with Gene Kim, award-winning entrepreneur, researcher and founder-former CTO of security firm Tripwire. Kim is also co-author of the books “Visible Ops” and “Visible Ops Security” — which codify how organizations make their IT transformation from “good to great.” In this interview we focus on the benefits of adding Rugged development principles to the DevOps IT organization. CSOonline: What do you mean by “Rugged” DevOps?

Kim: There’s a movement afoot that’s called DevOps, it started in 2009 at the Velocity Conference where the VPs at Flickr came on stage and said “We are routinely doing 10 deploys a day.” The status quo at the time was nine-month cycles or an annual cycle — or maybe a monthly cycle — and these guys basically said, “We’ve been doing deploys that rate 1,000 times faster than ever considered before by breaking down the silos in the IT organization into DevOps.” Think of the business value when you can deploy features 10 times a day, and your competitors can only deploy once a month or even once a year. You have an enormous, inherent competitive advantage.

So, the world’s gotten a lot faster since then. In fact, Amazon has gone on record saying they are now doing 1,000 deploys a day. So it’s just breathtaking what’s going on with DevOps and with cloud. That was a holy crap moment for me. Cloud isn’t just outsourcing, it is something profoundly different that enables what you can do without. They’re just shutting down data centers. It’s just a profoundly different shape of IT.

CSOonline: What does this mean for the IT security practitioner?

Kim: The problem for the security person who is used to turning around security reviews in a month or two weeks is they’re just being shoved out of the game. There’s no way with how infosec is currently configured that they can keep up with that. So, infosec gets all the complaints about being marginalized and getting in the way of doing what needs getting done.

We have evangelized at the 2012 RSA conference something called Rugged DevOps. But lets’ step back a moment. I’ve been working on a book called “The DevOps Cookbook” about how you do these types of transformations. And what we’re suggesting here is — not only are we codifying what Dev and Ops do together to get these incredible results — but what is infosec’s role in this? Where are they adding value to Dev, to Ops, to QA, to project management, to product management? Where are they helping secure code and an environment that can be relied upon to be stable, securable, durable, and scalable? So we’re just turning security into one of the qualities that Dev and Ops should be working on together. This is really changing how work is done so radically for Dev and Operations that one of the biggest beneficiaries is security because, now, if we can figure out how to automate the tests we can actually integrate all the testing into the development process; we can help operations harden environments for the code to deploy into — not only Dev — and not have to wait for security to take a month to review the code.

With Rugged DevOps, security doesn’t have to wait for Dev or Ops, they don’t have to wait for nine months for the next release, to get a hot fix or a quick fix into production. This means that the organization’s ability to bond with security issues is much, much faster.

CSOonline: How do organizations ensure security — which does have a history of getting in the way — remains integrated into the process?

Kim: We went through the prescriptive steps that we think security must do. They have to figure out — for the DevOps to get underway — who are the other stakeholders that they need to work with to get a seat at the table? How do they explain the value that they provide to developers? They can explain how they can bring to bear a set of automated tests that can be baked into the continuous integration and release process. That bakes quality and security into the process of an organization. Or here are the automated scripts that we can use to help you to secure the environment. To release managers: Here’s the checklist that you can add to your checklist to make sure that the release process results in the right outcome. To Operations: Here’s tools you can build into your quality check to make sure that the Ops department is stable and secure and operable.

So, that’s certainly one thing; understanding what they are about, the value that we can bring to them. And we go through the steps of the DevOps transformation. For example, one of the things that happens all the time — that security takes it in the shorts for — is that in DevOps, the developers, use up all the time in the schedule and leave no time for operations, let alone for security. One of the things that DevOps organizations do differently is that the Dev people and Ops are working together at the earliest sprint, in the earliest cycle, so in an agile process the typical thinking is at the end of every sprint two-week intervals — you can have shippable code.

CSOonline: Is that enough for security to have something to vet properly?

Kim: You change that, so that not only do you have shippable code, but you have the shippable environment, the database, the operating system, the network environment that the code is being deployed into. So you’re working on those very early in the cycle, then you’re helping integrate one step automated build so you’re simultaneously building a production environment, the QA environment, and the Dev environment. So you’re actually creating this incredible capability that makes the Dev guys, everyone’s life easier. That’s where the security personnel will also be working in, at the very early stages, getting the environment and code built so that you’re not deferring that work till the end, where we all know projects tend to run over and you just never get to securing your environment. Now security gets done first.

CSOonline: And everything’s iterative; there is no end anymore, right?

Kim: This is a great point. So how do you make sure that in the early stages you have at least something checked off, and you’re providing value to the other stakeholders? So the practices you want to do get baked into the process? Well now that process can be: Here are the three features we’re going to work on plus the security requirements and those are being scheduled into daily work so that the quarterly assessments — what you find in those assessments — basically gets fed into the work script at the same time that the features are being built. You have this agreement that Dev cannot use up all the cycles for just features. There are all these non-functional requirements, you know, for operation stability, site security; it’s being constantly worked at the same time.

CSOonline: Does it work outside of tech or cloud companies? We see all of the examples where these methodologies are employed, and they tend to be organizations that have technology in their DNA.

Kim: So the question was how people have been successful at integrating this into daily work? I would say absolutely they have. And I would give Netflix as an example of how they do this. As you take a look at the tribal leaders of the DevOps movement, they are saying it’s not DevOps, its Dev-Ops. It’s everybody between Dev and Ops: its QA, infosec – it’s such an amazing moment for me to say, “Hey this is our tribe.”

And it does work in many types of organizations. In fact it works in government organizations. I’m working on some case studies because people would say, “Hey, we’re not Amazon, we don’t need to do this, right. We’re stuck to the old way.” I think any place where you have a lot of IT work, where you have a time-to-market pressure and there is a need to show value to the business and simultaneously deliver stable, secure services this makes sense. And that means, I think, everybody.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.