DevOps
DevOps_RuggedBook_Web
DevOps_RuggedBook_Web
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
On the tools side, embedding<br />
security into <strong>DevOps</strong> for a truly Rugged<br />
<strong>DevOps</strong> experience requires that<br />
security teams find ways to<br />
test early and often by<br />
automating as much<br />
testing as they can.<br />
As Wickett explains,<br />
current security<br />
testing cycles are<br />
really geared toward<br />
waterfall approaches,<br />
even as the rest of the<br />
IT industry has drifted into<br />
Agile and <strong>DevOps</strong>. And so things<br />
like risk assessments and analysis,<br />
plus PCI compliance checks tend to be<br />
Test Early<br />
and Often<br />
completely out of sync with <strong>DevOps</strong><br />
cycles.<br />
“We need better security testing<br />
earlier on in the development<br />
process and inside the build<br />
pipeline,” Wickett says.<br />
“Right after you commit<br />
code, you should have<br />
unit tests that run,<br />
functional tests that run,<br />
integration tests that<br />
run and, at that point, you<br />
should also have a suite of<br />
security tests that run. Right<br />
now, those tests usually are run on<br />
an annual basis or as the product is just<br />
about to ship.”<br />
Automation is absolutely the lynchpin<br />
to the whole strategy.<br />
“At the speed people want to move,<br />
reliance on manual testing just doesn’t<br />
cut it,” explained Damon Edwards, host of<br />
the <strong>DevOps</strong> Café podcast and long-time<br />
<strong>DevOps</strong> evangelist, last year in a talk<br />
at OWASP AppSecUSA. “The external<br />
inspection by a third party who is going to<br />
manually test something is not<br />
going to be enough to catch<br />
all of our problems.”<br />
This does not<br />
necessarily mean that<br />
penetration tests go<br />
away altogether, but they<br />
may shift in importance<br />
as automated tests<br />
become the tip of the spear<br />
and manual tests become a<br />
backstop. At minimum, security<br />
teams may want to start thinking of ways<br />
to automatically integrate manual testing<br />
results back into the pipeline.<br />
“Even if you don’t do anything else,<br />
whenever you shell out your $50,000<br />
or whatever for your PCI compliance<br />
Automate,<br />
Automate,<br />
Automate<br />
testing, tell the penetration testers that<br />
at the end, you won’t read a PDF,” Wickett<br />
says. “Tell them the only output you will<br />
accept is integration tests written in<br />
Cucumber, Gauntlt, Behave or whatever<br />
you want your stack to be, even if it’s just<br />
Python scripts that test different parts<br />
of my application to verify whatever it is<br />
that needs verifying. Tell them you want<br />
code delivered at the end of the<br />
engagement.”<br />
All of this is, of course,<br />
easier said than done. As<br />
Mogull explains, security<br />
teams will need to vet their<br />
tools for <strong>DevOps</strong> speeds<br />
and processes, weeding out<br />
some, retuning others and<br />
bringing in new tools that are<br />
purpose built for the new bar set<br />
by the continuous delivery model.<br />
“If you’re getting a lot of false<br />
positives using a static analysis tool<br />
and that’s impeding dev velocity, that’s<br />
a problem,” Mogull says. “Some tools<br />
aren’t well suited for working in this<br />
environment.”