Mar 6 · 3 min read
Build security that works for DevOps, not against it
By: Jennifer Ellard
In an ideal world, DevOps and security work hand-in-hand to deliver secure code quickly. This would make sense, right? Well unfortunately, we all know that reality can be a bit different. Too often, security slows down DevOps and interrupts with how developers carry out their day-to-day work. And the result? Developers find ways to work around security controls and practices – sometimes rejecting security solutions altogether in the name of delivering code faster. This introduces risk and exposure that most companies today are not willing to accept. Fortunately there are ways to keep DevOps running smoothly with meaningful security controls in place. Here are a few pointers.
Approach Security from the Perspective of an Engineer
Good developers are hard-core – pumping out code like no one’s business. That’s why nothing, and I mean nothing, gets on their nerves more than security policies that prevent them from doing their work.
Patrick Mamaid, DevOps manager here at Cmd, says this about using Cmd’s command & file auditing capabilities:
“When I get in the flow setting up a system or chasing down a problem, I don’t want anything to distract me. My mind is completely focused until I finish my task – and I’m not thinking much about documenting every little aspect of it. That’s why I love the ability to look back at all the commands I executed and file diffs – all the info I need is captured and I never had to think about it.”
This is a great example of how security can make DevOps more efficient instead of getting in its way. The same system you use for security auditing makes developers’ lives easier as well. This philosophy extends to all the various tools that DevOps uses every day to communicate fluidly, validate code effectively, and deploy quickly. Security doesn’t need to get in the way of those activities – in fact it can make them better.
Give DevOps the Information They Need, When They Need It
Developers like speed. We all know this. They want to be notified of issues quickly, and they want to solve them quickly. Security is no different.
Security analysts are used to the idea of receiving an alert and then using a dashboard to investigate the incident and resolve it. When working in large-scale Linux environments, DevOps has a seat at that table too because they are the ones who can quickly pinpoint the root-cause of the issue and address it.
You would be surprised at how rare it is for developers to receive real-time alerts – especially about security incidents. Yet this is exactly the information they want. When suspicious activity is detected, it creates an opportunity for developers to learn and make their code more resilient. Then, those learnings are carried forward into future code drops – ultimately resulting in not just stronger code, but stronger coders.
#Blocked (for your own Protection)
Linux, by its very nature, can put a developer in an uncomfortable position. When there is an active incident on a live system, it’s their job to go in and fix it fast. Often they receive privileged access – potentially root access – in order to do this. The idea is to enable the developer to fix the issue with as much speed as possible.
But here’s the challenge: what happens if the issue occurs on a box that also contains sensitive data? What about if there is a critical process running that the developer doesn’t know about? We’ve even heard stories of developers taking actions on production boxes thinking they were in a staging environment – with very damaging results.
Developers don’t want to do the wrong thing. They want the control they need, and they also want to be protected from doing the wrong thing accidentally. At Cmd we call these “guardrails” – the ability to enforce security policies and provide a double-check or a real-time authorization to a command like mysqldump or rm -rf. These guardrails also provide protections from a hacker in the environment, even if they have escalated privileges. Any best-in-class security solution should be looking out for DevOps – yet it’s something that is hard to find in modern Linux-based cloud & datacenter environments.
Security and DevOps need to constantly be working together in order for your company to maximize its resources and reach its full potential. Here at Cmd, we are focused on keeping your DevOps environments agile and keeping our security solution lightweight, so development and security can work hand-in-hand.