By Ross Moore
Foundations and Frameworks
Concrete and steel – not exciting. But that’s the foundation and framing of pretty much every modern building. Everything else that is part of a building – flooring, wiring, lighting, room placement, etc. – is made possible by the foundation and the framework.
What’s below is a suggested approach to the concrete and steel of DevOps.
Three Foundational Needs
- Leadership and Governance
Someone has to make the decisions, be responsible for leading the team(s), give direction, and provide operational governance. Securing DevOps is not just about compliance to a set of security concepts; it’s also about setting the right tone for the workplace. Leadership and governance are key enablers of development success.
The pressure to deploy software faster and more often is real—but so are the security, regulatory, and many other concerns around automation that may uncover bugs or defects in software before it gets pushed to production. In an environment where there’s pressure to release code faster, how does one balance these competing priorities? What’s more important: speed or quality? This tension between speed and quality remains one of the main challenges faced by organizations adopting DevOps practices today.
Organizational leadership and governance regarding people and data must be in place to keep people working on the right things, keep up morale, provide direction about project prioritization, and budget the right tools for getting the job done.
An important subcategory of governance is data classification. Where does the data reside? Over which channels does it flow? What kind of data is it? Classifying the data has long-term implications for resource procurement such as what storage to use and if it needs to be encrypted, how stringent access control for the environments need to be, and interoperability of the various technologies.
- Regulatory Compliance
It wasn’t too long ago that if a business remained only national, then there weren’t necessarily many regulatory requirements. Presently, if a business has a website (and who doesn’t?), then international and cross-border data transfer is a given unless one takes the course of geo-restriction, which in itself can be a major undertaking with repercussions.
Determine regulatory needs. From where do people or other services access the data? What cross-border transfer is involved? To paraphrase a late 1960s-80s public service announcement, “It’s 10 PM; do you know where your data is?” Design and implement accordingly.
- Risk Management
One cornerstone of technology management is that it’s all about risk. If there’s a serious incident such as data intrusion or theft, what will the cost be to the organization, and was the company part of the problem (e.g., negligence)?
What are the technical vulnerabilities, threats, and risks presented by the product or service? What kinds of testing (e.g., regression, penetration, vulnerability, CTI) would it take to assess and address the risks? What does the patch cadence look like?
On the personnel side, what are the risks of key players leaving? What’s the morale of the team regarding aspects such as culture and pay? What’s being done to address those risks?
Included are third-party, contractual, and privacy risks (remember data classification above?).
NPM packages are a growing trend as an avenue of exploitation; uptime is a common requirement for meeting obligations; and privacy is considered by many to be more than a privilege but a human right, and not something to take lightly.
Two Framing Activities
The foundation activities undergird the entire structure but also consider what shapes the structure.
- Software Development Lifecycle (SDL
The SDL is vital. Without it, where do all personnel (team, contractors, consultants) know how to proceed with designing and implementing the product? What model is used, who’s responsible for what, it’s all here. Of course, things like references for API architecture specifics and corollary application documentation would make one feel like wandering in the Library of Congress (and make developers want to burn it down like the ancient Egyptian Library of Alexandria!).
Speaking of APIs: Due to the enormous rise of API use in all industries, including healthcare and retail, any use of APIs must be part of the SDL.
Not only are APIs on the rise for public use and interaction, but microservice use within an org has increased drastically. API are necessary internally and externally for businesses to reach, maintain, and accelerate the speed of innovation, so including them as critical resources is crucial. The average API usage per company increased by 221%, so attending to that ecosystem by ensuring proper activities, especially security, are included is needed for developers.
The SDL is to make workflow and production consistent (and concomitantly easier) by codifying what needs to be done for both company and customer, not to make work more difficult by presenting nauseating tedium. Like any corporate policy, it needs to remain useful, while not watered down.
Here are a few specific aspects to include:
- Threat Modeling in some form needs to be included. It doesn’t have to be a magnanimous effort, but the realities of threats will play a major part in development.
- Testing. Regression, stress, pentest, security – these and others will help guide what kind of testing environment one will need and lead to any need to increase items such as capacity and scalability.
- Secure coding. If it’s being done, take steps to improve. If it’s not being done, just get started. It’s always hard to go back and fix insecure code, but it’s a necessity due to the many risks and regulations involved in providing software to the public.
Training is required because businesses have to adapt as technological changes create new opportunities that lead to continuously changing customer demands.
Training is everywhere! There’s no one right place or right approach – just get training and change as needed (specifics should be handed down by leadership).
On a strict and lowball budget? One option is OWASP membership is $50/person/year and includes several types of AppSec and DevSecOps training. That small investment can help raise the level of clean and secure coding, threat and security consciousness, and professional reputation.
Setting the Course and Always in Motion
An issue with setting any course in business is that it’s semi-permanent. A DevOps model put in place becomes part of the foundation, which can make one reticent to commit. The only way to prove the chosen methods is to set them in stone and do them consistently for a long time. Aspects of the model may change over time, but once that foundation is put in place, it takes an enormous amount of work, time, and money to change it. Change wouldn’t be a remodel, but a reconstruction, so the model takes proper consideration at the outset to chart the right course.
While DevOps needs a solid foundation, it’s an always-in-motion model. There are new technologies, new people, business changes, customer demands, societal and cultural shifts. These concepts can be included in calculations, but what those changes will be is incalculable. Hire and train the right people, and the necessary steps and adjustments will be possible.