Welcome!

@DevOpsSummit Authors: Yeshim Deniz, Stefana Muller, Elizabeth White, Liz McMillan, Pat Romanski

Related Topics: @DevOpsSummit, Containers Expo Blog, Cloud Security

@DevOpsSummit: Article

Performance Testers Secure IT | @DevOpsSummit #APM #DevOps #Microservices

The most important thing to think about is protecting personally identifiable information

Don't Feel Insecure! How Performance Testers Can Help Protect and Secure IT

Have you heard all the buzz about the latest security breach at the Office of Personnel Management? It has caused many government workers a lot of stress - and with good reason. The personal information of more than 21 million people is now in the hands of hackers. If you've worked for the government, or had a government background check in the last 15 years, you've probably been affected.

It's a big deal, yet also just the latest in a string of high-profile identity theft cases. Remember the Target fiasco from December 2013? It was the largest retail hack in history, affecting a whopping110 million people. They only just reached a settlement to create a $10 million fund for hacking victims. This all goes to show that, while security technology continues to improve, so do hackers. It's been a trend for quite some time.

Here's why: there is great profit in hacking. Rather than putting their skills towards the overall good, some hackers spend their time, energy and talent plotting how to get rich quick off of the misery of others. You can never be too careful. Security is on everyone's mind. Not too long ago, we talked about how beefed up security impacts load testing and we want to continue the conversation. How do you keep yourself and your company safe in the age of industrial and state-sponsored hacking?

Here are a few things you must know.

Don't Take It Personally: Protect Sensitive Information
When it comes to performance testing, the most important thing to think about is protecting personally identifiable information. If it falls into the wrong hands, we know what happens. You also need to be conscious of opening holes that allow hackers to get into the network and steal personal information. Follow your corporate standards and policies for security, as well as common best practices for strong passwords. Don't take shortcuts, as tempting as it can be. Keep these tips in mind when focusing on security:

1) Always Use Dummy Data for Testing Purposes
Never scrape names or credit card numbers from real users on your website and use them to create a bunch of scripts that test load and performance. All personal information used for load testing should be dummy data and not even remotely identifiable. That doesn't just mean eliminate names. Identities can be exposed even from metadata. Instead, invest in a dummy data generator. Be smart, and treat customer data as if it were your own.

2) Play It Smart in the Cloud
Companies tend to be more cautious when operating in the cloud. Conducting load testing from the public cloud is a great idea, but just make sure that you do it right. Remember, cloud based companies spend a lot of money on security and have entire teams monitoring security infrastructure all the time, and they probably have better resources at their disposal than you do. However, it's always a good rule of thumb to make sure that sensitive data never leaves the machines it was intended for. So keep that information out of the cloud when doing performance testing.

3) Communicate with Your Operations and Security Teams
If you conduct lowd testing from the cloud, work with your operations team to make sure that they know where your traffic will be coming from. Think about how they would react upon seeing a lot of network requests coming from cloud servers across the world. They may think it's a DDoS attack when in fact it's just your cloud-based load generators operating an organized test. They could accidentally do something that messes up your test and ruins hours of data gathering and monitoring. Don't distract them from their real job of finding and stopping the bad guys. Focus on working with them to put proper controls and identification parameters in place.

4) Control Any Public Tests
You will often need to test new software for performance with real users on live systems. This is often done publicly as part of a public beta or as an A/B test. Any public beta software should be shut down when no longer in use as these tests may not be fully vetted from a security perspective. Keep exposure brief and monitor it closely. When the test is complete, remove access instantly. You don't want a security hole to be discovered in temporary software that's a year old and not in use. For hackers, that looks like a pretty tempting access channel.

5) Keep All Software Patched and up to Date
Bring anything public-facing to the attention of your security team. They have processes to monitor software, update it, and control the environment. Check regularly for out-of-date apps that may contain active vulnerabilities, as unpatched software is one of the easiest ways for hackers to gain access to your systems.

Security First and Always
With all the recent hacks and security breaches, just discussing your security plan can be intimidating enough to put it off. Remember that the secret to security in performance testing is in the planning. With these tips in mind, you'll be well on your way to developing a security plan that protects the personal data of your company and users.

Photo: Pixabay

More Stories By Tim Hinds

Tim Hinds is the Product Marketing Manager for NeoLoad at Neotys. He has a background in Agile software development, Scrum, Kanban, Continuous Integration, Continuous Delivery, and Continuous Testing practices.

Previously, Tim was Product Marketing Manager at AccuRev, a company acquired by Micro Focus, where he worked with software configuration management, issue tracking, Agile project management, continuous integration, workflow automation, and distributed version control systems.

@DevOpsSummit Stories
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Traditional IT, great for stable systems of record, is struggling to cope with newer, agile systems of engagement requirements coming straight from the business. In his session at 18th Cloud Expo, William Morrish, General Manager of Product Sales at Interoute, will outline ways of exploiting new architectures to enable both systems and building them to support your existing platforms, with an eye for the future. Technologies such as Docker and the hyper-convergence of computing, networking and storage creates a platform for consolidation, migration and enabling digital transformation.
As Cybric's Chief Technology Officer, Mike D. Kail is responsible for the strategic vision and technical direction of the platform. Prior to founding Cybric, Mike was Yahoo's CIO and SVP of Infrastructure, where he led the IT and Data Center functions for the company. He has more than 24 years of IT Operations experience with a focus on highly-scalable architectures.
An edge gateway is an essential piece of infrastructure for large scale cloud-based services. In his session at 17th Cloud Expo, Mikey Cohen, Manager, Edge Gateway at Netflix, detailed the purpose, benefits and use cases for an edge gateway to provide security, traffic management and cloud cross region resiliency. He discussed how a gateway can be used to enhance continuous deployment and help testing of new service versions and get service insights and more. Philosophical and architectural approaches to what belongs in a gateway vs what should be in services were also discussed. Real examples of how gateway services are used in front of nearly all of Netflix's consumer facing traffic showed how gateway infrastructure is used in real highly available, massive scale services.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.