Security Predicted to Improve in Devops Teams

栏目: IT技术 · 发布时间: 5年前

内容简介:After uniting development and operations to ship more code faster,The prediction by Gartner analysts is that the number of teams adding security into DevOps will increase from 40% today to about 90% by 2022. There are multiple benefits for teams that integ

After uniting development and operations to ship more code faster, DevOps teams are set to handle security as another major obstacle to overcome. Contrary to DevOps processes, many current security controls are either not completed or managed as gates that DevOps teams must go through instead of integrating processes together.

The prediction by Gartner analysts is that the number of teams adding security into DevOps will increase from 40% today to about 90% by 2022. There are multiple benefits for teams that integrate security into their DevOps processes. By understanding threats that an application faces, teams can defend against the right risk at the right place to decrease data breaches, data loss, and various exposures. Although security experts can still monitor various aspects of software, a crucial tenet of DevOps is the ability to operate at scale and speed, free of arbitrary organizational and technical bottlenecks. The beneficial security tools fit in line with other items of the DevOps toolchain to provide continuous feedback at all times: as code is written, across the CI/CD pipeline, and to monitor and understand threats against the code as it runs in test and production environments.

Teams looking to understand how to improve security can leverage educational material that is available online. Various free training courses available to explain the role of security in DevOps: training for managers , and training for technical practitioners . "Training and security education is another crucial piece of the puzzle," states Calvin Lo, program manager for training SecurityCompass. "By understanding threats and weaknesses of how applications are hacked, software professionals can gain direct expertise and then prevent many common problems from happening in the first place."

One tool on Gartner’s roadmap is IAST , Interactive Application Security Testing. IAST helps teams understand and address security during development and testing, in a manner similar to how Application Performance Management (APM) tools helped teams understand performance. Instead of sending code to a specialized performance team to evaluate isolated tests in a lab, APM tools such as New Relic, Dynatrace, and AppDynamics used instrumentation to continuously monitor what happened in an application without requiring code changes. As a result, teams could monitor their own data without requiring dedicated study in the field of performance engineering. With tools such as IAST, teams can leverage tools to find security defects without requiring dedicated study in security risk. As a result, these newer DevOps tools can locate security defects by seeing things such as when user input reaches a SQL command without validation ( SQL Injection ), where an XML parser is configured to provide local files to external users ( XXE ), and many other types of risk. By monitoring code within APIs, IAST analyzers can also assist with mapping an application’s flow to other resources and act as the basis for an automated threat model .

"DevOps has dramatically improved the way that teams ship software quality and performance. DevSecOps has similar benefits for security, but requires changes in culture, people, process, and technology. Successful teams are both shifting security 'left' into development as well as extending 'right' into operations, and they’re leveraging instrumentation-based approaches like IAST and RASP instead of traditional outside-in scanners and firewalls."

Jeff Williams, CTO of Contrast Security, which provides a free IAST monitor in Contrast Community Edition .

Other notable tools in the security DevOps pipeline are:

  • Software Composition Analysis, a way of identifying vulnerabilities and/or potential license conflicts within an application’s libraries.
  • Chaos Engineering, the introduction of periodic errors and/or environmental degradation in and around an application to help manage its resilience before a similar unexpected error occurs.
  • Runtime Application Self Protection, a way to make running applications defend themselves by applying context of what the code is doing. Unlike external defenses that watch network traffic, this technique sees if and how data is used.

Other tools that help integrate security as code into DevOps are things like Chaos Engineering, a way to design failure resiliency and auto-recovery into systems, and Runtime Application Self Protection (RASP) as a way of guarding against actual vulnerabilities (not just attacks) while an application is running.

The core issues of many security tool chains are speed, skillset, and accuracy. Some tools, such as security static code analysis, are too slow and provide too many false positives through the inability to traverse non-imperative code flows (such as inversion of control). Triaging the false positives requires an expert who is typically not present in most software teams. Others tools, such as Web Application Firewalls (WAFs), suffer from accuracy of understanding what they see . Although WAFs can monitor a production environment to see data moving across a network, they lack an architectural visibility to differentiate if and when an attack matters. The result is that operations teams receive significant noise from irrelevant crawler attacks, and developers cannot utilize attack information to improve in a meaningful way -- for example SQL Injection blocking statistics do not matter to a team whose application uses NoSQL. In 2014, the security industry published statistics that organizations in the United States were attacked over 5,000 times per hour . Other data from 2018 indicates that organizations are attacked 1,000 times per day . The key aspect missing from these network-based WAF reports in a DevOps pipeline is how often these attacks can actually accomplish something that the defender cares about.

Developers looking to improve security while maintaining a rapid release cycle can evaluate the Gartner cycle, or look to the Microsoft SDL for other recommendations, in addition to tools such as Contrast Community Edition and OWASP Dependency Check .


以上所述就是小编给大家介绍的《Security Predicted to Improve in Devops Teams》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

深度学习入门

深度学习入门

[ 日] 斋藤康毅 / 陆宇杰 / 人民邮电出版社 / 2018-7 / 59.00元

本书是深度学习真正意义上的入门书,深入浅出地剖析了深度学习的原理和相关技术。书中使用Python3,尽量不依赖外部库或工具,从基本的数学知识出发,带领读者从零创建一个经典的深度学习网络,使读者在此过程中逐步理解深度学习。书中不仅介绍了深度学习和神经网络的概念、特征等基础知识,对误差反向传播法、卷积神经网络等也有深入讲解,此外还介绍了深度学习相关的实用技巧,自动驾驶、图像生成、强化学习等方面的应用,......一起来看看 《深度学习入门》 这本书的介绍吧!

随机密码生成器
随机密码生成器

多种字符组合密码

MD5 加密
MD5 加密

MD5 加密工具

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试