@DevOpsSummit Authors: Elizabeth White, Dana Gardner, Yeshim Deniz, Stefana Muller, Liz McMillan

Related Topics: @DevOpsSummit, Linux Containers, @CloudExpo

@DevOpsSummit: Blog Feed Post

Continuous Delivery Requires New Approaches to Security By @madgreek65 | @DevOpsSummit #DevOps

The rate at which production changes occur requires us to take a fresh new look at securing systems

Continuous Delivery Requires New Approaches to Security

As companies embrace the DevOps movement, they rely heavily on automation to improve the time to market for new features and services. DevOps is a long, never-ending journey with a goal of continuously improving the software delivery process, resulting in better products and services and, ultimately, happier customers. At the beginning of their DevOps journeys, many companies focus on continuous integration (CI), in which they automate the build process. Automated testing is implemented so that builds will fail if any changes fail the baseline tests. The idea here is to never move bugs forward, catching them early in the process.

Once companies get good at implementing CI, continuous delivery (CD) is the logical next step. The idea with CD is to be able to deliver a clean, consistent environment along with the automated build. One of the biggest bottlenecks I see with clients is inconsistent environments. How often do we hear “it worked on my laptop” when a build fails in a testing environment? Too much time is wasted fixing environment issues, leading to lost productivity and a decrease in overall quality. CD aims at fixing all of this by ensuring that no matter what environment a build is deployed to, the configuration of that environment is always the same.

Companies that have implemented CD are usually in a position to deliver to production frequently, possibly even multiple times a day if necessary. This presents a challenge to the legacy methods of inspecting for security vulnerabilities. In the past, manual security reviews were a common method of inspecting software to protect against introducing new vulnerabilities into the production environment. Now that companies can deploy daily, manual inspection is no longer feasible. First, manual inspection doesn’t scale. By that, I mean that if a company has ten teams that can all deploy software each day, there is likely not a big enough security team in house that can respond to the constant need for security inspection. Even if there were enough security personnel to perform these inspections, it would be a full-time task for these people, and other tasks would fall to the wayside. Second, manual inspection would get in the way of the development teams and reduce the number of times they could deploy in a day, due to the constant need to stop the automation process to hold a meeting to manually inspect software.

Read about new ways to approach security in my latest post on the Virtualization Practice.

Read the original blog entry...

More Stories By Mike Kavis

Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Partners. He has served in numerous technical roles such as CTO, Chief Architect, and VP positions with over 25 years of experience in software development and architecture. A pioneer in cloud computing, Mike led a team that built the world’s first high speed transaction network in Amazon’s public cloud and won the 2010 AWS Global Startup Challenge.

An expert in cloud security, he is the author of “Architecting the Cloud: Design Decisions for Cloud Computing Service Models (IaaS, PaaS, SaaS)” from Wiley Publishing.

@DevOpsSummit Stories
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.
Traditional IT, great for stable systems of record, is struggling to cope with newer, agile systems of engagement requirements coming straight from the business. In his session at 18th Cloud Expo, William Morrish, General Manager of Product Sales at Interoute, will outline ways of exploiting new architectures to enable both systems and building them to support your existing platforms, with an eye for the future. Technologies such as Docker and the hyper-convergence of computing, networking and storage creates a platform for consolidation, migration and enabling digital transformation.
An edge gateway is an essential piece of infrastructure for large scale cloud-based services. In his session at 17th Cloud Expo, Mikey Cohen, Manager, Edge Gateway at Netflix, detailed the purpose, benefits and use cases for an edge gateway to provide security, traffic management and cloud cross region resiliency. He discussed how a gateway can be used to enhance continuous deployment and help testing of new service versions and get service insights and more. Philosophical and architectural approaches to what belongs in a gateway vs what should be in services were also discussed. Real examples of how gateway services are used in front of nearly all of Netflix's consumer facing traffic showed how gateway infrastructure is used in real highly available, massive scale services.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.