One of the biggest challenges for development teams is having good visibility into production deployments. It is nearly impossible to track down application problems without access to critical data. Developers need access to a range of things, including application performance reporting, configurations, log files and more.
Does DevOps create or solve security challenges?
Possible DevOps Security Issues
DevOps typically refers to topics around application deployment, server provisioning, and application monitoring. All three of these topics have potential security implications.
One of the best things about using continuous integration and deployment tools is their ability to create a repeatable and dependable way to deploy your application. How you deploy your application is scripted out and works the same way every single time.
From a DevOps security perspective, I see this as a huge upgrade over someone manually pushing code. It allows you to implement controls and security policies into your release process.
We are also starting to see new ways to add security scanning and testing into the build process. Products like Contrast Security are very interesting.
Server Provisioning & Configuration
I’m sure you have heard of infrastructure as code. Similar to scripting application deployments, scripting server deployments allows you to document and control the process.
By scripting out server configurations, you can also easily implement specific company policies. Things like what ports are open, automatic updates, and more.
Deploying to the cloud also changes everything. At Stackify, how we deploy to Azure is part of our application itself. We don’t even think about server provisioning or server configurations. Microsoft Azure takes care of securing our servers, Windows Updates, and other common issues.
Scripting server configurations enable security experts to have better visibility and be part of the security conversations throughout the process.
When it comes to monitoring, and troubleshooting application problems, a DevOps approach solves a lot of security problems. The goal of DevOps is to create collaboration and improve the working relationships between development and operations. Monitoring is a perfect example of where a company can gain efficiency and even security with a DevOps mentality.
By giving developers access to the tools and more data, they no longer need administrator level access to production. You can also get more developers involved in the supporting their applications.
Application Monitoring: Developers Need Data, Not Production Access
In the past, many organizations were forced to give developers administrator level permissions so they could support their apps. It was the only way for them to see if their apps were running, the health of them, and access basic things like log files. This, of course, causes a lot of security concerns.
What developers really need is access to lots of data. Having to log in to servers one by one is not a good solution if your app runs on multiple servers.
What developers really need to support their apps:
- Deployment history – What changed and when?
- Application configurations – Is everything configured correctly?
- Application errors – Is there a critical error going on?
- Application log files – Logs are the eyes and ears for developers.
- Server metrics – Need to double check server CPU, memory, disk, and network performance
- Application metrics – Do we have issues with garbage collection or other key metrics?
- Application performance – APM tools are invaluable for identifying why an application is slow or not performing correctly
Developers need tools to aggregate this data together across multiple servers. Traditionally, developers have used multiple monitoring type tools. APM solutions, like Retrace, can help solve this by combining all the data into one place.
Providing your entire development team access to this data fits into the DevOps mentality and solves some security challenges.
Summary of DevOps Security Impact
By leveraging DevOps best practices, companies can increase the velocity at which they do releases while improving security. DevOps and security issues related to it will continue to be big topics.
Scripting out how you do deployments and configure servers gives you the ability to review and audit the configurations.
By giving developers access to the data and monitoring tools that they need, you can also limit administrator level access to production.
- Serilog Tutorial for .NET Logging: 16 Best Practices and Tips - August 15, 2018
- Retrace Log Management: Logs, Errors and Code Level Performance - April 25, 2018
- 5 Awesome Retrace Logging & Error Tracking Features - March 14, 2018
- Developer Things #8: How to Develop More Secure Software with Steve Feldman - February 8, 2018
- 8 Things to Monitor During a Software Deployment - February 2, 2018