Multiple Perspectives on Security

Security Journal

Subscribe to Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Security Journal Authors: Yeshim Deniz, Peter Silva, XebiaLabs Blog, Elizabeth White, Ravi Rajamiyer

Related Topics: Infrastructure 2.0 Journal, Security Journal, DevOps Journal

Article

When “IoC” Meets “SoC” | @DevOpsSummit @Cavirin #DevOps #DevSecOps

It should be apparent that “infrastructure as code” and “security as code” are powerful if adopted together.

DevSecOps - When "Infrastructure as Code" Meets "Security as Code"

Not very long ago, in my IT consulting career, I used to be responsible for the launch of mission-critical applications that help enterprises leap into the cutting edge of the digital business revolution. There were a lot of hard skills required for leading such a mission that involved getting the system architecture and software design right early, mentoring and managing the engineering resources, and tracking the progress to the satisfaction of the business analysts who put together the requirements and the stakeholders who funded the projects. Those skills, while hard, were largely deterministic and manageable vs another set of skills required to ensure that the built applications come alive in production environments, and run reliably and securely thereafter. This other set of skills often pit the application developers against the infrastructure administrators and InfoSec professionals. They are also typically viewed as the "last mile" in the journey to go live with any application, and can be only be developed by understanding the following patterns that govern the dynamics of interaction:

  • Infrastructure Issues: Infrastructure capacity planning and provisioning is an inherently complex and time-consuming process. It requires long lead times in making sure the necessary and sufficient compute, storage, network capacity will be available well before the very first line of code is written for the business application. All estimates of growth in scale as well as timelines need to be forecasted well ahead of time, resulting in over-provisioning just to avoid scarcity of resources when needed. This is an antithesis to the way modern application developers operate, where speed, agility, and responding to changes are fundamental attributes.
  • Security Issues: Because there is only limited, high-level information available to the developers about the infrastructure topology on which their application will run, due to the traditional separation of development and operational team members, the "security review" is often pushed late in the development process, but still viewed as a gating requirement for production launch. This is known to cause severe friction between developers and InfoSec professionals, since, very often, the established security guidelines may require significant changes in the application architecture and design, causing delays and dismay among software architects and developers.

In both of the above issues, there is a common thread that runs through the lack of visibility, communication, and cooperation between developers, IT administrators, and InfoSec professionals. It's not hard to understand the entrenched cultural issues that block communication, as these groups tend to be traditionally operating in silos. Another way of looking at this problem is the inability of the professionals to look at the cross-domain concerns that are at play. For example, from an application developer's perspective the features he or she develops is critical for the business. However, for an operations or security person, the potential disruption a new application can cause to a smooth operation trumps any business value the new application can bring. Unless a mechanism arrives to enable such a cross-functional view, with the ability to influence a change in practices, things will remain as status-quo. Fortunately, this mechanism has arrived naturally, and is alive and thriving today as we can see below.

Infrastructure as Code
Infrastructure-as-code, alternatively known as programmable infrastructure, is the practice of provisioning and managing data center resources through software that uses the definition of resources such as compute, storage, and network in the form of machine-readable files. It uses a form of high-level programming language through which developers can automate the configuration, deployment, and management of resources, while still adhering to the style and standards of modern day software development practices. The advantages of such a methodology can't be emphasized enough as it provides independence, control, repeatability, and traceability through version control. This is the first mechanism that emerged to facilitate the understanding of the cross-domain concerns between developers and IT operations. Two fundamental shifts began to emerge with this development:

  • Developers obtain a powerful handle on the problem of hardware resources, although virtualized, with a simple interface they are familiar with: APIs and software libraries. Suddenly the deployment, and operation of hardware is simply an extension of the traditional coding exercise. As a side benefit, the developers now understand the service level requirements such as high-availability, scalability, reliability, and fail-over resulting in a new level of appreciation for the IT operations team.
  • IT administrators obtain a clear visibility into the dynamics of software engineering, the rapidity and agility that is becoming increasingly commonplace, and now acquire some development skills themselves to contribute to the programmable infrastructure. As a side benefit, they are also relieved from capacity surprises, over-provisioning of infrastructure, and change control conflicts to become truly collaborative with the developers in leveraging the "elasticity" and the "ephemeral" nature of the programmable infra-cloud.

The convergence of the two above mentioned trends is known as "DevOps," marking the advent of utilizing "infrastructure as code", as depicted by the diagram below:

Security as Code
The success of the "infrastructure as code" practice certainly provided a template for bringing the InfoSec professionals to the table as we see a pickup in momentum in discussing security requirements early in the software engineering practice. The fundamental requirement for "security as code" is the ability to achieve programmable security controls and automate the security definition, assessment, and enforcement before and after applications become live, and throughout their operational lifecycle. There are certain fundamental requirements from InfoSec professionals regarding the security of infrastructure and applications such as visibility, transparency, and repeatability of the application of security controls. The challenge is to ensure that this is possible without hindering the speed of application development as desired by the developers, particularly with the availability of infrastructure automation/DevOps platforms at their disposal, and as depicted in the figure below.

Just as in the case of programmable infrastructure described in the previous section, this also creates two fundamental shifts in the mindset:

  • InfoSec people now believe that it is possible to expect that application developers follow secure coding practices, and have a visible and automated way of assuring that by textual code analysis, code-level vulnerabilities are identified early in the development. It also became easier for the InfoSec people to enable the developers to easily utilize "security hardened," and "fully patched" platforms with mandatory security baselines on which to build the applications.
  • Developers realize that application security concerns must be "left-shifted," and be a non-negotiable acceptance criterion before promoting applications through the stages of the SDLC pipeline such as Dev, QA, Staging, and Production.

The convergence of the two above mentioned shifts is known as "SecOps," that marks the advent of "security as code" as depicted by the diagram below:

Putting It Together, aka "DevSecOps"
Based on the above arguments, it should be apparent that "infrastructure as code" and "security as code" are powerful if adopted together. There is a natural confluence of these two as depicted in the figure below, which calls for a harmonious engagement between the various roles and systems at play.

The following fundamental tenets of the DevSecOps framework and their merits are undeniable:

  • Introduce agility and speed by investing in a hardened tool chain covering the develop-test-deploy-monitor lifecycle of applications and resources.
  • Question everything by creating visibility at every stage of the Continuous Integration / Continuous Delivery (CI/CD) pipeline.
  • Bring security as a fundamental and non-negotiable acceptance criterion early in the development process, in other words, "left shift" security.
  • Suspect everything, including code, configurations, artifacts, and infrastructure, and establish security assessment as a requirement for progress through the pipeline.
  • Promote often, and promote confidently through Dev, QA, Staging, and Production.
  • And, finally automate, automate, automate.

While it is possible for enterprises to build home-grown solutions around this, it pays immensely for them to seek out solution vendors that have thought through this deeply and integrated it into the DNA of their products. There are several viable open source platforms available as well, that may require more in-house expertise in putting things together.

Essential Characteristics of a DevSecOps Oriented Security Management Platform
There are multiple options available in the market place for enterprises that are interested in establishing the DevSecOps model in their application development, deployment, and infrastructure management. While researching the suitability of any such platform, the following fundamental requirements must be kept in mind:

  • It must be programmable by exposing open APIs.
  • It must be a platform ability to integrate and coexist with the IT ecosystem.
  • It must be cloud-agnostic, and flexibly deployable across multiple infrastructure topologies.
  • It must be able to secure applications before they go live on production.
  • It must help establish a baseline security, and allow to watch continuously for drift.
  • It must support point-in-time as well event-driven, monitoring-based security assessments.
  • It must report issues truthfully, knowledgeably, and offer means of remediation.
  • It must create full-circle awareness of the operation of the pipeline through notifications.
  • It must be to support incident response mechanisms through easy integrations with other systems.

The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential.

Nutanix DevOps Booth at @DevOpsSummit New York Javits Center

DevOps at Cloud Expo will expand the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike. Recent research has shown that DevOps dramatically reduces development time, the amount of enterprise IT professionals put out fires, and support time generally. Time spent on infrastructure development is significantly increased, and DevOps practitioners report more software releases and higher quality. Sponsors of DevOps at Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Editorial Coverage on DevOps Journal
  • Tweetup to over 75,000 plus followers
  • Press releases sent on major wire services to over 500 industry analysts.

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021.

Most Popular Video: Sheng Liang's Containers Talk

@DevOpsSummit at Cloud Expo taking place October 31 - November 2, 2017, Santa Clara Convention Center, CA, and is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

@DevOpsSummit 2017 Silicon Valley
(October 31 - November 2, 2017, Santa Clara Convention Center, CA)

@DevOpsSummit 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Track 1. Enterprise Cloud | Cloud-Native
Track 2.
Big Data | Analytics
Track 3. Internet of Things | IIoT | Smart Cities

Track 4. DevOps | Digital Transformation (DX)

Track 5. APIs | Cloud Security | Mobility

Track 6.
AI | ML | DL | Cognitive
Track 7.
Containers | Microservices | Serverless
Track 8. FinTech | InsurTech | Token Economy

Speaking Opportunities

The upcoming 21st International @CloudExpo@ThingsExpo, October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY announces that its Call For Papers for speaking opportunities is open. Themes and topics to be discussed include:

  • Agile
  • API management
  • APM
  • Application delivery
  • Cloud development
  • Configuration automation
  • Containers
  • Continuous delivery
  • Continuous integration
  • Continuous testing
  • DevOps anti-patterns
  • DevOps for legacy systems
  • DevOps skills and training
  • DevOps system architecture
  • Docker
  • Enterprise DevOps
  • Identity and access
  • IT orchestration
  • Kubernetes
  • Load testing
  • Microservices
  • Mobile DevOps
  • Monitoring
  • Network automation
  • Quality assurance
  • Release automation
  • Serverless
  • Scrum
  • Service virtualization
  • Teaming
  • Test automation
  • WebOps, CloudOps, ChatOps, NoOps

Submit your speaking proposal today! ▸ Here

Cloud Expo | @ThingsExpo 2017 Silicon Valley
(October 31 - November 2, 2017, Santa Clara Convention Center, CA)

Cloud Expo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Download Show Prospectus ▸ Here

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.  

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Cloud Expo is the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of Cloud Expo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
  • Online advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Editorial Coverage on Cloud Computing Journal.
  • Tweetup to over 75,000 plus followers
  • Press releases sent on major wire services to over 500 industry analysts.

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez by email at events (at) sys-con.com, or by phone 201 802-3021.

The World's Largest "Cloud Digital Transformation" Event

@CloudExpo | @ThingsExpo 2017 Silicon Valley
(Oct. 31 - Nov. 2, 2017, Santa Clara Convention Center, CA)

@CloudExpo | @ThingsExpo 2018 New York 
(June 12-14, 2018, Javits Center, Manhattan)

Full Conference Registration Gold Pass and Exhibit Hall ▸ Here

Register For @CloudExpo ▸ Here via EventBrite

Register For @ThingsExpo ▸ Here via EventBrite

Register For @DevOpsSummit ▸ Here via EventBrite

Sponsorship Opportunities

Sponsors of Cloud Expo | @ThingsExpo will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35 minute technical session
  • Online targeted advertising in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage
  • Unprecedented Marketing Coverage: Editorial Coverage on ITweetup to over 100,000 plus followers, press releases sent on major wire services to over 500 industry analysts

For more information on sponsorship, exhibit, and keynote opportunities, contact Carmen Gonzalez (@GonzalezCarmen) today by email at events (at) sys-con.com, or by phone 201 802-3021.

Secrets of Sponsors and Exhibitors ▸ Here
Secrets of Cloud Expo Speakers ▸ Here

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend @CloudExpo@ThingsExpo, October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-4, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Delegates to Cloud Expo | @ThingsExpo will be able to attend 8 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join Cloud Expo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, for three days of intense Enterprise Cloud and 'Digital Transformation' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and (IIoT) Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) Digital Transformation in Vertical Markets.

Financial Technology - or FinTech - Is Now Part of the @CloudExpo Program!

Accordingly, attendees at the upcoming 21st Cloud Expo | @ThingsExpo October 31 - November 2, 2017, Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, will find fresh new content in a new track called FinTech, which will incorporate machine learning, artificial intelligence, deep learning, and blockchain into one track.

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. @CloudExpo is pleased to bring you the latest FinTech developments as an integral part of our program, starting at the 21st International Cloud Expo October 31 - November 2, 2017 in Silicon Valley, and June 12-14, 2018, in New York City.

@CloudExpo is accepting submissions for this new track, so please visit www.CloudComputingExpo.com for the latest information.

About SYS-CON Media & Events

SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

More Stories By Ravi Rajamiyer

Dr. Ravi Rajamiyer serves as Cavirin’s vice president of engineering. He leads the engineering organization at Cavirin, where he is responsible for Cavirin’s products, services, as well as research and development. He is a seasoned software engineering professional, with a solid track record of building, mentoring and leading high-performance engineering teams. In his career, Ravi has spanned product development and R & D responsibilities at Yahoo, VMWare, and a couple of successful Silicon Valley technology startups. He has an MS from Indian Institute of Technology (IIT) Bombay, and a PhD from Washington University in St. Louis.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.