In his Behaviorally Speaking series, Bob Aiello discusses hands-on software configuration management best practices within the context of organizational and group behavior.
While DevOps is typically thought of as being the relationship and interaction between development and operations, the truth is that DevOps impacts QA, testing, and—most importantly—information security (InfoSec). DevOps is, above all else, a set of principles and practices tailored to improve communication between all stakeholders, of which InfoSec is a key part. This article will help you integrate your InfoSec into DevOps.
Information security is responsible for establishing policies that help ensure a secure environment; to maintain this secure environment—known as the trusted base—InfoSec includes a set of practices that help maintain a secure environment. The completely secure environment is known as the trusted base. The National Institute of Standards and Technology (NIST) publishes a series of standards, including the Guide for Security-Focused Configuration Management of Information Systems (NIST 800-128). There are several other security related standards that also impact configuration and release management, but the interesting fact is that information security and the NIST-related standards actually depend upon configuration management (CM).
Configuration management best practices are described in industry standards, including the IEEE 828, EIA 649, and ISO 10007, along with frameworks such as CMMI, Cobit, and ITIL. The security standards include the NIST and ISO 27000 family of standards and they all reference and depend upon the aforementioned configuration management standards and frameworks. InfoSec could not possibly be effective without CM, and we increasingly see that DevOps facilitates InfoSec too. To understand the real-life application of these standards and frameworks, we need only examine how application code is built, packaged, and deployed.
DevOps helps us ensure that we know exactly what configuration items (CIs) need to be built and that we use the correct source code baselines to build them. These best practices, based upon industry standards and frameworks, enable us to build fully verifiable CIs and to embed immutable version IDs as part of the automated build procedure. Immutable version IDs are essential for conducting a physical configuration audit which an essential function to comply with audit and regulatory requirements. InfoSec also relies upon the configuration audit to verify that the correct configuration items were built and deployed as planned.
Release packaging is also a key aspect of this process. Many build tools, such as Ant, Maven, and Make, provide routines to automate the creation of release packages, like Java JARs, WARs, and EARs. These automated procedures also enable you to create a manifest that contains essential information about the configuration items in the container and the release package itself. Another important best practice in the use of cryptography to ensure the integrity of the release package and its contents.
If you have ever downloaded software from the Internet then you have likely come across packages that have been signed and verified using cryptographic hashes, such as MAC-SHA1 and MD5. Cryptographic hashes can be used to ensure that the authenticity of the source or what is known as non-repudiation. They also can be used to verify that the package has not been tampered with itself. Cryptography can help by maintaining secure baselines and alert authorities to unauthorized changes. These practices enable you to create what is known as the trusted base.
The trusted base is the secure and verifiable runtime environment built using these security-focused best practices that ensure that you know exactly what CIs were built using the correct source code baseline in the build itself. There have been recent incidents where banks, exchanges and other financial institutions have suffered serious system glitches because of security issues including attacks by hackers. These incidents highlight the need for robust configuration management best practices including DevOps that should start early in the development process. DevOps focuses on implementing automated application build, package, and deployment for development, QA, integration, pre-production, and production deployments. In all of these situations, testing is a must have.
Application testing is an essential best practice including smoke testing that should always be completed as the last step in an application deployment. Testing is fundamental and automated build procedures should include unit tests as part of the automated build stream. From a security perspective, effective source code management and automated application build enables information security by facilitating the scanning of source code for security vulnerabilities using automated code analysis tools. You can also build variants of the code that enable specialized testing to detect potential security problems. DevOps helps to establish the core CM best practices including application build, package, and deployment that are essential for establishing the trusted base.
DevOps implements information security best practices, including source code baselining and automated build, package, and deployment. Embedding immutable version IDs and effective use of cryptography are also essential and very effective at ensuring the trusted base.