Dev Ops Increases Security (1)

How DevOps Increases Security, Not Hurts It

Matt Watson Developer Tips, Tricks & Resources, Insights for Dev Managers

One of the biggest challenges for development teams is having good visibility into production deployments. It is nearly impossible to track down application problems without access to critical data. Developers need access to a range of things, including application performance reporting, configurations, log files and more.

New call-to-action

Does DevOps create or solve security challenges?

Possible DevOps Security Issues

DevOps typically refers to topics around application deployment, server provisioning, and application monitoring. All three of these topics have potential security implications.

Application Deployments

One of the best things about using continuous integration and deployment tools is their ability to create a repeatable and dependable way to deploy your application. How you deploy your application is scripted out and works the same way every single time.

From a DevOps security perspective, I see this as a huge upgrade over someone manually pushing code. It allows you to implement controls and security policies into your release process.

We are also starting to see new ways to add security scanning and testing into the build process. Products like Contrast Security are very interesting.

Server Provisioning & Configuration

I’m sure you have heard of infrastructure as code. Similar to scripting application deployments, scripting server deployments allows you to document and control the process.

By scripting out server configurations, you can also easily implement specific company policies. Things like what ports are open, automatic updates, and more.

Deploying to the cloud also changes everything. At Stackify, how we deploy to Azure is part of our application itself. We don’t even think about server provisioning or server configurations. Microsoft Azure takes care of securing our servers, Windows Updates, and other common issues.

Scripting server configurations enable security experts to have better visibility and be part of the security conversations throughout the process.

Application Monitoring

When it comes to monitoring, and troubleshooting application problems, a DevOps approach solves a lot of security problems. The goal of DevOps is to create collaboration and improve the working relationships between development and operations. Monitoring is a perfect example of where a company can gain efficiency and even security with a DevOps mentality.

By giving developers access to the tools and more data, they no longer need administrator level access to production. You can also get more developers involved in the supporting their applications.

Application Monitoring: Developers Need Data, Not Production Access

In the past, many organizations were forced to give developers administrator level permissions so they could support their apps. It was the only way for them to see if their apps were running, the health of them, and access basic things like log files. This, of course, causes a lot of security concerns.

What developers really need is access to lots of data. Having to log in to servers one by one is not a good solution if your app runs on multiple servers.

What developers really need to support their apps:

  • Deployment history – What changed and when?
  • Application configurations – Is everything configured correctly?
  • Application errors – Is there a critical error going on?
  • Application log files – Logs are the eyes and ears for developers.
  • Server metrics – Need to double check server CPU, memory, disk, and network performance
  • Application metrics – Do we have issues with garbage collection or other key metrics?
  • Application performance – APM tools are invaluable for identifying why an application is slow or not performing correctly

Developers need tools to aggregate this data together across multiple servers. Traditionally, developers have used multiple monitoring type tools. APM solutions, like Retrace, can help solve this by combining all the data into one place.

Providing your entire development team access to this data fits into the DevOps mentality and solves some security challenges.

Summary of DevOps Security Impact

By leveraging DevOps best practices, companies can increase the velocity at which they do releases while improving security. DevOps and security issues related to it will continue to be big topics.

Scripting out how you do deployments and configure servers gives you the ability to review and audit the configurations.

By giving developers access to the data and monitoring tools that they need, you can also limit administrator level access to production.

About Matt Watson

Matt is the Founder & CEO of Stackify. He has been a developer/hacker for over 15 years and loves solving hard problems with code. While working in IT management he realized how much of his time was wasted trying to put out production fires without the right tools. He founded Stackify in 2012 to create an easy to use set of tools for developers.