Should DevOps Account for Continuous Trust of Production Applications?

To find previous blogs in this DevOps series, read:

• Part 1 - Agile, Component Development & DevOps - A Natural Match
• Part 2 - DevOps Success is Contingent on Shifting Left
• Part 3 - DevOps Requires an Optimized Application Development Tool Chain
• Part 4 - Component Capable Release Management is Key to DevOps
• Part 5 - Should DevOps Account for Continuous Trust of Production Applications?

___________________________________________________________________________

While DevOps initiatives are primarily focused on fixing or improving the release process, for DevOps to be truly strategic, it needs to impact the entire software lifecycle. That doesn't mean that everything has to be tackled at once but DevOps efforts should expand beyond the release process. Perhaps the most important aspect of DevOps is ensuring that production applications are running effectively and securely - because it is the production applications that the developers, IT Ops, etc., are ultimately hired to produce and maintain.

It's interesting because the same silos that impact the development and deployment of applications exists on the monitoring and management of production applications - IT Ops is largely responsible for monitoring the systems and the applications. But if DevOps is successful, the new approach will not only make this an IT Ops responsibility, it will be a collaboration between developers and operations to jointly monitor and manage production applications. If developers are involved in the monitoring and management of production applications, they develop a better understanding of what it takes to make a production-worthy application that is easy to manage and maintain. Being on the front line, in collaboration with operations, will help the organization react faster and more efficiently to the problems that arise in production. Having developers engaged with production monitoring and maintenance, allows organizations to eliminate the "throw it (back) over the wall" mentality that happens far too often. Instead in a DevOps model, both teams can work together to to provide missing context and help ensure the proper response is made once a problem or potential problem arises.

Looking at this model from a security perspective, it’s also true traditional monitoring needs to be extended to support component-based development approaches. It's imperative that new vulnerabilities for components that make up the lion's share of a modern application be identified, triaged, and remediated quickly.

When thinking about a DevOps approach that accounts for security and support of component-based development approaches, it's important to think about these challenges:

• Coordinating the effort of IT Ops and developers to address production problems - from a people and process perspective. This is important, and a similar challenge to coordinating efforts earlier in the software lifecycle. The good news is, if organizations tackle the initial release and deployment process with effective collaboration, it will be easier to expand that approach into a different, but related discipline.
• Maintaining an accurate inventory of the components used in production applications - I've talked to many organizations that don't have a handle on the applications that they have, let alone the components that are used to construct the applications. This is a fundamental problem since it's hard to manage what you don't know you have. Since an accurate inventory helps the entire DevOps process, the inventory mechanism should fall out of the release management process.
• Identifying newly discovered security vulnerabilities or licensing issues with components that are actively used in production applications. Whether you refer to it as DevSecOps or DevOpSec, it's important that the monitoring and management process for production applications ensures that applications remain trusted. While DAST can play a role in production, a new approach is needed for component-based applications. New vulnerabilities for the components in your production applications need to be identified and you need a process that will map these vulnerabilities to the application.

To overcome these challenges, organizations should ensure that their DevOps efforts deliver the following capabilities:

• An accurate inventory that provides visibility into production applications so organizations can assess their overall risk posture and identify applications that need remediation.
• Continuous, non-invasive monitoring of production applications allows organizations to identify new vulnerabilities without impacting production performance.
• Identification and notification of newly discovered vulnerabilities to drive action so that flaws can be quickly fixed.
• Component intelligence to allow organizations to identify, triage & fix vulnerable applications in order to prioritize work based on potential negative impact.

Being a DevOps organization isn’t easy but it starts with recognizing the value of collaboration and working together to jointly solve challenges before or when they arise. By accounting for security and support of component based development approaches, organizations can extend their collaboration efforts beyond the siloes and bring the right team together to build, maintain, and monitor production applications that reduce cost and improve productivity.