CW Developer Network

Aug 9 2016   6:00AM GMT

DevOps needs a security antitoxins injection

Adrian Bridgwater Adrian Bridgwater Profile: Adrian Bridgwater


Texan virtualisation and cloud trends analyst operation outfit TVP Strategy thinks that DevOps is failing to mitigate security flaws in code quality. The firm comes to this ‘finding’ as a result of research into Agile cloud development architectures and processes.

The firm claims to be spending research time on investigating how to add automated security to Continuous Integration (CI) and deployment without essentially changing what developers do, thereby (in theory) regaining some level of code quality and potentially improving DevOps.

TVP Strategy says that its research provides ‘a reference architecture’ that enables businesses to retain a grasp on code quality by advising on steps for maintaining code security.

DevOps’ heinous egregious crime

“In many cases, we have observed that DevOps is egregious at identifying security flaws in its penchant for rapidly releasing code,” said Edward L. Haletky, CEO and principal analyst at TVP Strategy.

TVP Strategy has worked with DevOps domain experts, such as Splunk’s chief technology advocate Andi Mann to peer review its research to ensure it meets the demands of both the business and development functions.

Splunk flunks junk out the DevOps trunk

“While DevOps helps drive agility, velocity and more, it is often too easy for DevOps teams to overlook application security. So, I am excited that this research provides pragmatic recommendations on using data analytics to help ensure code quality and application security,” stated Mann.

The research discusses four key areas:

Code quality metrics – Measuring the adherence of code to security, performance, and compliance policies using automated static and dynamic processes.

Single pool of data – The business interprets the same data differently than development does, thus creating a dichotomy between development and operations. TVP Strategy suggests adopting a methodology that provides the same view in order to enable the same interpretation, therefore removing “finger pointing”.

Breach detection – Knowing all the decisions made to push out a code change makes it possible to add data on these decisions to breach detection, aiding efforts to determine exactly what changed to allow the breach. This architecture shows where to place logging to capture these decisions, both human and machine.

The cost to businesses of security flaws, such as API leakage – These costs can result in significant losses for businesses. The architecture shows how to feed costs and threats into automated continuous analytics

The compilation of research is ongoing, but it has already been the subject of a BrighTALK webcast entitled Securely Implementing Cloud Native Applications at the link shown here.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: