Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/9/2017
01:50 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Defining DevOps for the Enterprise

Is there anything in the DevOps methodology that makes it impossible to use for secure development? To get the answer, first you have to define DevOps.

The software world is moving toward agile, and that's a good thing according to the speakers and attendees at Agile 2017, an industry conference taking place in Orlando, Fla. When agile expands to include both hardware and software, you can end up at DevOps, which promises continuous delivery of constantly improving software on a consistent, stable infrastructure.

But what, really, is devops? According to Amazon:

DevOps is the combination of cultural philosophies, practices and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.

Which is fine, but what does all this look like when put into practice?

A session at Agile 2017 sought to answer these questions. I sat in on the session and came away with several large impressions about DevOps -- impressions that have implications for IT generalists and security specialists alike.

Eliminate the seven wastes
In the Toyota production system on which much of agile is based, there are seven "mudas" or wastes, that must be eliminated in order to optimize a process. The seven are:

  • Overproduction -- When you make things before they're required, then you are over-producing. Don't make unnecessary things.
  • Waiting -- Whenever goods are not moving or being processed, the waste of waiting occurs. Waiting is wasting time.
  • Transporting -- When you move things around unnecessarily, it's a waste of transportation. This is true whether you're moving raw materials, physical product, people, or status messages.
  • Inappropriate processing -- When you subject things to processing they don't need just because it's the way things have always been done, you're committing the wast of inappropriate processing. Reviews that don't lead to quality improvement, and approvals that exist only to satisfy an ego are examples of this waste.
  • Unnecessary inventory -- When you have overproduction waste and you keep the items around, then you add unnecessary inventory to your waste list. This wastes space, money and energy -- if you can't justify, in process terms, keeping things around, let them go.
  • Unnecessary/excess motion -- Sometimes, a process includes motion that is the equivalent of the spinning beachball on a computer screen -- motion that exists for the sole purpose of reassuring managers that something is happening. Eliminate unnecessary motion and increase efficiency.
  • Defects -- In some ways, this is the worst sort of waste because defective products mean that the entire process has been wasted. Improving the product quality means that the process has been improved.

Into practice
Eliminating these wastes involves the introduction of several practical processes:

Automation -- "Deployment should be boring. If it's not, then you're not doing it right." Processes like deployment should be standardized as much as possible, and standardization leads to automation. In the ideal situation, a developer should be able to, at the end of the dev process, commit updates to the code repository and know that they will be tested, verified and deployed automatically.

A large percentage of all deployment problems come from human errors. Standardizing and automating the process means that errors will be reduced.

Infrastructure is software -- Treating infrastructure as software, where you check configurations in and out of a repository, sign off on all changes and have a record of all changes made. As with software, standardization makes boring deployment possible, and boring deployment is the gateway to automation.

A principled organization-- When DevOps is embraced, it must result in changes to the organization. Without the proper principles in place, DevOps can't be successful. What are the principles that enable DevOps?

  • Empowered individuals
  • Accountable individuals and teams
  • Teamwork
  • Trust
  • Transparency
  • Continuous learning/improvement
  • Feedback Loops
  • Data driven decisions
  • Standardization
  • Customer focus

Want to learn more about the tech and business cases for deploying virtualized solutions in the cable network? Join us in Denver on October 18 for Light Reading's Virtualizing the Cable Architecture event – a free breakfast panel at SCTE/ISBE's Cable-Tec Expo featuring speakers from Comcast and Charter.

You'll notice that there aren't a lot of "DevOps requires this product" descriptions in the list. The reason is that every organization will decide how these principles are demonstrated in their particular processes. Even within agile, there are many different methodologies, and those expand when an organization evolves from agile to DevOps.

If your organization uses DevOps, I'd love to hear from you. Do you see these principles in action within your company? Do you think these principles are important whether or not your company makes use of DevOps? This is a topic we'll be covering in much greater detail -- it would be great to have your experience in our coverage.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...