You might be old enough to remember the days when hotel doors didn’t come with automatic locks.
You received an actual metal key from the front desk, and you had to remember to use the key to lock your door. Now, key cards are nearly universal in modern, and even not-so-modern, hotels and doors lock automatically. This enhances the security for you and for the hotel - thwarting thieves even when we are absent minded or lazy. This is security automation and implement that in modern-day software development is exactly what Warner Moore, Manager, Information Security at CoverMyMeds, talked about during his 2016 AllDayDevOps conference session, Automating Security in Building Software.
In DevOps, the importance of culture is a constant drumbeat. This includes a culture that values people and the contributions they make. It is also a culture of trusting and empowering people. Often, it seems security erodes that culture because it assumes the worst in people. However, as Warren noted, it doesn’t have to be that way. If you automate security, you provide a culture where people, trust, and empowerment thrive and you, “reduce vulnerabilities and keep internal criminals honest. If we look at our employees as criminals, we are doing something wrong.”
So, how can you automate security? Warner looks at it from a high level:
How do you kick things off? Decide if you are going to have story planning cards and sessions or just conversations with people. Either way, it is critical for security to be involved and to walk through the whole proces.
Code reviews. How are you going to integrate code reviews, and are you going to use pair programming?
Continuous Integration/Continuous Development (CI/CD). If you do CI/CD, security scanning must be part of the process, and there are a plethora (yes, I know what that means) of tools out there to automate the process. There are also tools to automate deployment automation. Remember, if deployments are hard and painful, they will be few and far between, but if you can make the process smooth and painless, it will improve your software. You can use tools and processes to tie deployments to revision control and continuous integration tools and use a workflow tool that is built around the automatic deployment.
If every part is automated, you can have code reviews in there. They can act as an approval, making auditors happy. And when auditors are happy, everyone is happy.
Risk. Some organizations or certain software applications have a lower appetite for risk, often for sound reasons. You can still have all of this information and address business cases where there is a lower appetite for risk.
Training. Annual training is boring (I have a keen sense for the obvious). People try and skip it, play Training Limbo (how low can you go and still pass), and whatever else to avoid it. This helps no one. If you can gamify your training, it will increase participation, retention, and implementation.
OWASP. The Open Web Application Security Project is a great resource. The provide maturity models and practices that can be aligned to automation in DevOps. OWASP is very aligned with what we do.
Tools. There are all sorts of tools aligned to the DevOps culture. Find what works for your organization.
Collaborate. Collaborate with your security team on all of these aspects.
You can watch Warner’s entire talk online here and you can find out why he used this picture.
If you missed any of the other 30-minute long presentations from All Day DevOps, they are easy to find and available free-of-charge here. Finally, be sure to register you and the rest of your team for the 2017 All Day DevOps conference here. This year’s event will offer 96 practitioner-led sessions (no vendor pitches allowed). It’s all free and online on October 24th.