A secure agile cloud development procedure to produce cloud-native and other applications starts first with a process. (See video at end of this article for a secure process.) This process defines how code created by a developer eventually makes it through to production and customer use. I have found that many companies do not even have such a process, or they have a very short process that primarily comprises the developers doing everything, including testing and security bits within their own little worlds. Since the same developer who wrote the code is testing and performing security, there are not enough eyes on the code to see all potential attacks.
There are also very few developers who have a security mindset, a mindset that thinks well outside the box for potential issues and attack mechanisms. So, we start with a flow of work. In many cases, that flow for waterfall projects is broken and disjointed, while for agile it seems fairly fluid. Figure 1: Waterfall DevelopmentFigure 2: Agile Development
As you can see in the previous diagrams, the process is very distinct. However, it is incomplete. Why is it incomplete? Because we still have a break between the developer and QA/test, even though we may place our code into production automatically. Where is the automation around testing or the creation of the infrastructure? We are still missing bits, and that is what can impact the security and stability of a cloud-native application. We need to add more into this process and involve others. What others? At least the infrastructure developers (who are today’s administrators who script everything) and some automated way to verify builds so that you can easily record issues into the scrum backlog. Figure 3: CI/CD w/Infrastructure as Code
By adding automation, as we have in the above, we only include one infrastructure developer (the administrator who writes scripts), but not those involved with security, and we still have no automated test. We even have no real security outside of what is done within the build server (if any). We are really looking only at build and orchestration failure points, not real security, or for that matter truly automated testing. There are many ways to add security into this process, and there are some great tools to help you. However, many of those tools are not tuned for agile cloud development and need some way to become hooked into your environment for use. Appropriate tools include code analyzers such as HP Fortify, dynamic code analyzers such as Core Impact, and testing automation tools such as Ixia BreakingPoint. There are many more listed at sectools.org.
When we add in such tools, we are changing how we look at the world. We are actually changing our mindset. Most importantly, we are not really changing how developers work. Instead, we are adding in more developers to help improve our agile cloud development experience. Where we end up is illustrated in Figure 4. Figure 4: Secure Agile Cloud Development Process
We can even go further and tie in not only security but application performance management as part of our automated testing. The goal here is to add security under the covers of the process, so the developers (of which we now have four classifications) can continue to do their job while issues are logged, testing is automated, and data protection is part of the process.
Data protection is made part of the process by using hooks as code is placed into our source code management system or repository. These hooks, of which AAC-Lib is one, are there to obfuscate, tokenize, remove, or deny code to be placed in the environment if it has embedded PII, PHI, API Keys, or anything else that could lead to backdoors, leaking data, or anything else that could break compliance or impact adversely an organization’s bottom line due to a breach of any sort. Take a look at the following presentation, done recently for vBrownbag, for a good view on how to create a secure agile cloud development process for secure and automated continuous integration and deployment. Let us know your thoughts:
This site uses cookies. Some of them are essential, while others help us improve your experience.AcceptRead More
Privacy Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
