jro-grafik - Fotolia
DevSecOps tools maturing, much to the relief of DevOps developers
DevOps has placed a greater burden on the software developer in terms of securing the public cloud. DevSecOps tools are helping to reduce the DevOps developer's burden.
Ensuring the software an enterprise deploys is secure and ensuring that there are no software vulnerabilities in the applications an organization produces have always been an inexact science. But in this age of DevOps, more pressure than ever is being placed upon the shoulders of the typical software developer, creating a need for DevSecOps tools that will reduce the DevOps developer's burden.
Low-level, programmatic security has always been a software developer's responsibility, but best practices have always demanded that declarative security practices should always be preferred over placing any security-related constructs right into the code a software developer writes. In other words, software developers have historically been insulated from enterprise security concerns.
The need for DevSecOps tools
Before the public cloud became a viable option, developers worried about code, operations worried about deployment, administrators worried about the security of the servers and network engineers kept an eye on the hubs and switches to ensure there were no denial-of-service shenanigans going on. But in today's DevOps world, all of these items are hosted in the cloud, and configuration is performed through a script that's been written by a developer. "The siloed approach was pretty much broken once companies moved to the public cloud and started adopting DevOps practices," said Roy Feintuch, CTO and co-founder of Dome9 Security. "The heavy lifting has moved from IT Ops to DevOps and to the developers who own the software-defined environments."
Roy FeintuchCTO and co-founder, Dome9 Security
While the security was once a shared responsibility across the entire IT department, the trend towards infrastructure as code means that every cloud-based environment is fully configurable through a script. Software is now the primary driver of enterprise architecture, not the company's limited budget for purchasing mainframes and maintaining data centers.
"Everything now is template-based and software-based," Feintuch said. "Instead of physical network devices, you now have API calls that come from the cloud provider. The network service is one API call away."
DevSecOps tools and DevOps integration
An API-based infrastructure certainly provides benefits in terms of simplicity, manageability and the ability to integrate with continuous delivery tools, like Jenkins and Concourse CI. But the problem with a programmatically configured environment is the fact that it can be misconfigured as well. A misconfigured server in the public cloud can end up providing an all-access pass to undesirables and ne'er-do-wells.
"The cloud could be much more secure than a traditional environment," Feintuch said. "But the thing is, in the cloud, a misconfigured cloud can be dangerous because everything could be public. In the cloud, every configuration mistake could lead to a compromised system and an information leak."
Fortunately, for the developers who are struggling to cope with the extra burdens DevOps places upon them, DevSecOps tools are rising to the challenge and helping to not only identify potentially dangerous cloud-based configurations but also helping to lock down environments and settings so that system security can't be compromised by inadvertent changes.
To learn more about the most common security vulnerabilities public cloud environments expose, along with insights into how Dome9 helps organizations address security in the public cloud, listen to the accompanying podcast where TheServerSide's Cameron McKenzie interviews Dome9 CTO Roy Feintuch.