Security: Are You Doing DevOps Right?

Phil Kernick, co-founder and CTO of cybersecurity specialist CQR Consulting, has no fundamental problem with DevOps, but asks, from a security perspective, “How many people do it right?”

If DevOps is going to work and produce secure systems, then developers must take responsibility for security. It’s not something that can be treated as an additional process.

But abstract responsibility isn’t sufficient. It’s rare for developers to have security tools in their kit and an understanding of their results, said Kernick.

Learn From History

As former systems administrator and past president of the Systems Administrators Guild of Australia (SAGE-AU, now the Information Technology Professionals Association), Kernick suggested that DevOps pretends that the discipline of systems administration does not exist and merely treats infrastructure as if it were a software library.

Spinning up an instance is easy, but do you know that it is properly designed and maintained? This is a real concern, given the number of people working as developers without professional training, Kernick explained.

Repeatable loops and short development cycles do make sense. But are you confident all the individual pieces being assembled were built properly?

That raises questions about the software supply chain. Where did that Docker container actually come from? Is it well-maintained?

The process needs to be managed, yet, people at some organizations are “just grabbing things from anywhere,” Kernick said.

“It almost integrates the ‘not my problem’ attitude with development,” he noted.

Developers tend to care about whether a component works from a functional perspective, but an untrustworthy piece of code will compile and run.

Developers working in a DevOps environment need to understand the tools that help ensure code is secure, and they need to understand infrastructure, said Kernick.

‘Code Reuse is Bug Reuse’

DevOps makes the old joke that “code reuse is bug reuse” even worse, said Kernick, citing the example of a piece of vulnerable code shared on the Stack Overflow site and reused more than 100,000 times in GitHub-resident projects.

“I don’t want DevOps running in my bank,” he said. What he does want is well-engineered, secure, well-run, certified software.