DevOps practices can help spot vulnerabilities earlier

Continuous collaboration, automation, and radical transparency in DevOps can help detect issues more rapidly.

Communication network concept. GUI (Graphical User Interface).

Image: metamorworks, Getty Images/iStockphoto

Last year's GitLab's Global Developer Report provided some key insights into the benefits and challenges of the DevOps methodology. GitLab surveyed 4,071 software professionals and found that teams with mature DevOps practices are three times more likely to spot vulnerabilities earlier, showing the benefits of when DevOps is done right. 

SEE: Learning programming languages for free: GitHub's best guides for Java developers (free PDF) (TechRepublic)

GitLab stated that "DevOps done right can go a long way to improve security, enable continuous deployment and bring developers, security professionals, and the operations team together." They found that companies with advanced DevOps practices "are 90% more likely to test between 91% and 100% of code than in an organization with early stage DevOps." Also, "nearly half of all respondents practiced continuous deployment at least in some part of their organizations."

However, barriers still prevent developers and security teams from achieving streamlined DevSecOps–only about a third of respondents actually rated their organizations' DevOps efforts as "good."

CEO and cofounder of GitLab Sid Sijbrandij said: "The big takeaway from this survey is that early adopters of strong DevOps models are experiencing greater security and finding it easier to innovate, but barriers still prevent developers and security teams from achieving true DevSecOps. Teams need a single solution that can provide visibility into both sides of the process for streamlined deployment."  

Other key takeaways from the report included:

  • About half of security professionals (49%) reported difficulties getting developers to prioritize the remediation of vulnerabilities

  • Merging code in test environments found bugs most frequently

  • If you're going to do DevOps, do it right: substandard DevOps implementations are at least 2.5 times more likely to experience planning delays and stifling red tape entanglements

  • Remote teams perform better than onsite teams, offering "greater collaboration, better documentation and transparency and ultimately more mature security practices, compared with in-office teams. In fact, developers in a mostly remote environment are 23% more likely to have good insight into what colleagues are working on and rate the maturity of their organization's security practices 29% higher than those who work in a traditional office setting"

I spoke to Colin Fletcher, manager of Market Research and Customer Insights at GitLab, to get his insights on the topic of DevOps security and see where DevOps is working well and where there are areas for improvement.

SEE: 11 DevOps trends that will matter most in 2020 (TechRepublic)

Scott Matteson: How do DevOps practices help spot vulnerabilities earlier?

Colin Fletcher: Put simply, DevOps supports better security, enabling spotting vulnerabilities earlier, because it is built on a foundation of radical transparency, collaboration, and automation. These characteristics are critical to achieving a level of continuous improvement and ultimately a proactive capability. 

Put another way, when everyone involved in requesting, building, testing, delivering, and securely running an application can literally see everything, work together on the same things, and work together to automate as much as possible, the end result is applications that are more secure from the start. 

This is code that has been consistently tested, is running on documented configurations, and whose movements and behaviors are consistently monitored. This is in stark contrast to the typical output of traditional IT operating models where most existing activities, tooling, and teams have often been focused and formed around a separated and reactive paradigm for various reasons.

Scott Matteson: Can you provide any subjective examples of vulnerability detection via DevOps?

Colin Fletcher: Arguably the biggest impact that we've seen DevOps adoption have on vulnerability detection of any kind (static application security testing, dynamic application security testing, dependency scanning, container scanning, and more) is that it is actually getting done and done more frequently in DevOps teams. Because the DevOps view of security starts as more or less "just" another attribute or posture or characteristic of an application that is the responsibility of the entire cross-functional team, it tends to reap benefits measured in the same terms as other DevOps activities, greater speed and automation of identification and remediation. So for example, as noted by security awareness training and simulated phishing platform KnowBe4, it was important to have vulnerability detection activities already baked into their DevOps pipelines so that vulnerable code doesn't get deployed in the first place. 

As application attack surfaces change constantly, and increased delivery of new applications, features, and changes only accelerate that change, we see only a growing need to automate a variety of vulnerability detection approaches as much as possible for the foreseeable future. For some time we have been providing a combination of static and dynamic application security testing, dependency and container scanning and we continue to invest in building in other capabilities as well in response. 

Scott Matteson: What are the barriers preventing streamlined DevSecOps?

Colin Fletcher: The common inhibiting thread across the many identified pains and challenges in the survey appears to be rooted in a stubborn division of tools, responsibilities, teams, incentives, processes, and data -- all of which ultimately stop the people involved from collaborating and continuing to improve.

SEE: Latest research says organizations need to integrate security principles with DevOps (TechRepublic)

Scott Matteson: How can those barriers be overcome?

Colin Fletcher: Overcoming these roadblocks continues to require significant attention and investment from all levels and disciplines in transforming the culture, tools, skills, incentives, and organizational design that support what is ultimately a new, collaborative way to work.

Scott Matteson: How is DevOps enabling the testing of over 90% of code?

Colin Fletcher: More code is tested using a DevOps approach than in traditional operating models due to multiple factors, but the most impactful factors leading to this improvement include:

  • DevOps' Agile development roots, which lead to code delivered in smaller, more focused, increasingly independent units that are more easily and quickly tested.

  • DevOps' collaborative nature results in more team members invested in and involved in testing activity.

  • DevOps' presumption of automating everything that possibly can be, including testing activities.

At the end of the day, a DevOps approach is one where it is both easier and faster to test, so more code gets tested.

Scott Matteson: How is continuous deployment being achieved?

Colin Fletcher: Many of the same factors enabling more consistent and complete test coverage enable continuous deployment to become not just possible, but practical. Most often it is achieved via the combination of using agile development principles, continuous integration (CI) to automate the building, packaging and testing of code, and increasingly frictionless delivery mechanisms, like containers and serverless computing.

Scott Matteson: Why are only a third of respondents satisfied with DevOps?

Colin Fletcher: Keeping in mind that for many, successful DevOps adoption requires quite literally upending decades of assumptions, behaviors, cultures, organizational structures, incentives, processes, job descriptions, tooling and more, we see closing in on almost a third of developers feeling good about their DevOps maturity as truly significant, meaningful progress. 

It is not an overstatement to say DevOps represents an actual transformational effort that is spanning multiple generations of people, processes, and technology. Shifts of this breadth, depth, and impact are typically measured in decades, and we are excited about the advancement and opportunities still ahead.

Scott Matteson: What do companies need to do to keep the process evolving?

Colin Fletcher: Based on the experiences of our survey respondents and others' experiences, it is fairly clear and consistent that both initial and ongoing DevOps success requires a significant, consistent focus on and investment in transforming the culture, the use of agile principles to build and deliver code, and the use of modern tooling designed to support this new way of working.

SEE: DevOps is changing, and some are challenging "shift left" management (TechRepublic)

Scott Matteson: What other operational advantages can be gained via DevOps that weren't traditionally viable?
 
Colin Fletcher: The most common driver cited and frankly realized operational advantage of DevOps adoption is significantly increased speed: speed of delivery of new applications, features, and functions. This speed increase enables a new level of responsiveness to constantly changing demands and constraints that can initially be staggering. Anecdotally, in a growing number of cases, DevOps teams' ability to deliver can begin to outpace the articulated/defined needs of a particular business or organizational function, putting pressure back on product owners to find enough new things to work on!

In addition to the increases to speed and security often seen by DevOps adoption, there is the more challenging-to-measure increase in operational flexibility that translates all the way down to the individual members of the team. Better documentation, more automation, greater collaboration can enable more asynchronous work, giving team members more flexibility in when and where they work, something we at GitLab ourselves do our best to reap the rewards of as an example.
 
SEE: DevOps market predicted to be worth $15 billion by 2026 (TechRepublic)

Scott Matteson: What sort of training/background is useful for a career in DevOps?

Colin Fletcher: Because of the breadth of activities and responsibilities DevOps spans there are a ton of potential entry points for all sorts of professionals to begin their DevOps career journey, which can be both intimidating and exhilarating at the same time! That said, it is often a great help to have a background and/or training in agile or lean methodologies (some would say this is an absolute must, but I've seen plenty of folks learn by doing in a reasonably performing team), application architecture, application development (coding, testing, etc.), configuration management, cloud architecture, and product management. But if you don't come from those specific disciplines that shouldn't stop you. There are so many online and IRL options for learning, like Codecademy, freeCodeCamp, devopsdays and many folks from all sorts of other backgrounds like IT operations, IT security operations, project management, for example are finding paths to join DevOps teams every day.

Also see