Published on the 30/10/2017 | Written by Phil Kernick
DevOps is gaining popularity – but there are limitations, writes Phil Kernick, CTO at information security specialist CQR…
The appeal of DevOps is its apparent ability to reduce the time required for the development process. The approach can significantly shorten projects and get new software up and running faster. This differs from the traditional ‘waterfall’ approach which begins with a specification, code methodically developed over time, rigorously tested and then deployed.
But there is a downside to DevOps which stems from the change in emphasis (speed over quality). Developer attention shifts from carefully checking and testing software thoroughly, to getting it up and running and then fixing any issues that arise after it is in production.
Suddenly, there is an uncomfortable tension between doing the development job fast and doing it well. And the ‘do it fast’ approach is winning.
Implications for security
Because DevOps has an impact on code quality, there are implications for security. If the development process results in more flaws going into production software, it creates big issues for the business. Systems could become more vulnerable to attack leading to instances of disruption and data loss.
The security situation is further exacerbated by the way developers work in a DevOps team. Because time is of the essence, many choose to create their own servers in a virtual environment rather than relying on system administrators trained in maintaining system integrity. While they gain rapid access to compute resources, it also means developers turn their backs on the very people focused on keeping systems secure.
This is concerning when compounded with the potential security problems with rapidly generated code. How can the developers be expected to secure the servers, too?
The trouble with DevOps is that it trivialises the infrastructure component, assuming it is easily mastered. Nothing could be further from the truth.
The role of iterative development
While it sounds like a disaster waiting to happen, it doesn’t mean there is no place for iterative development practices. In fact, DevOps can and does deliver the benefits of accelerating software development and time to market.
What’s required is an unwavering focus on security as an integral part of the DevOps process. When software security is overarching, from initial concept to final deployment, risks can be managed without impeding development timelines.
This can be achieved through automation tools which remove the human component. By taking humans out of the process whenever possible, development time is reduced without sacrificing quality.
Presently, there are no regulations governing software quality.
Without regulations, consumers have no protection against flawed software products and services dependent on the code. If the pace of development continues to accelerate, software development companies must be compelled to take security seriously.
This is important when considering, for example, autonomous cars or connected medical devices. Security is paramount when people’s lives are at risk. This must be enforced by appropriate regulation and oversight.
Rather than focusing on ‘fast at any cost’, the wider implications attached to software need to be considered. By looking at the whole picture, developers can take advantage of DevOps, while actively managing the downsides of the approach.
Phil Kernick is the Chief Technology Officer and co-founder of CQR Consulting. Phil has dedicated the majority of his career to information security, with more than 25 years in the industry.