Why security should be an enabler, not a hindrance, in DevOps today
Every development team, and every developer individually, is under increasing pressure to get new code into production as quickly as possible. Progress to that required speed and efficiency is made somewhat easier by Agile and DevOps methodologies, like CI/CD, but tighter deadlines, higher KPIs, and greater expectations are all ramping up the pressure.
And while no-one would suggest that a professional developer has a devil-may-care attitude to the security of their applications, it’s often the case that SecOps is seen as a hindrance to the required speed of getting code pulled, tested, and published. Conversely, SecOps sometimes regard DevOps as moving simply too quickly for necessary security and governance to be observed, potentially endangering the organization’s intellectual property, the end-users and/or the enterprise network.
The mismatch between the two parts — DevOps and SecOps — of what’s essentially the same machine is perhaps down to training and experience. Few professional developers are trained in today’s security methods and may not have specific knowledge above what they’ve managed to pick up over the years. Furthermore, as a career, cybersecurity is a less common avenue to follow — developers outnumber security experts by a factor of 100. Therefore, security is an uncommon area from which developers emerge: it’s not part of a “typical” career path, in that sense.
The mismatch between what SecOps might seek and what DevOps might achieve can lead to poor testing of new apps and services, lack of oversight, and processes that are too fast to “bake in” any good practice over and above, for instance, simple code-signing. Small wonder, then, that security is seen as a bottleneck in the overall development process, and once it becomes such (or is even seen as being such), it becomes an issue to get around, to ignore, or just to give lip service to.
At present, CI/CD pipelines have limited-to-no security built-in, so security will sometimes be inconsistent at best, and often regarded as “somebody else’s problem.” But rather than make security everyone’s problem, app security best-practices can be made a seamless part of DevOps workflows. And while that doesn’t mean that anyone can take their eye off the ball, it does ensure that security concerns and goals become an integral part of the movement of code through to production.
Policy to Pipeline
The key to any security-as-code solution is one of creating a structure that provides guardrails, rather than obstacles. The NGINX App Protect addition to the NGINX Plus solution creates just those guardrails for developers and security teams, working towards the same goals. Those guiding structures are present for microservice deployments, services hosted across hybrid clouds, and even complex, scalable architectures typical of cutting-edge development.
For those readers not conversant with the NGINX Plus offering, it’s an all-in-one solution providing load-balancing, proxying and a gateway into the rich infrastructure of today’s applications and services, be they hosted in-house or on multiple clouds. With NGINX App Protect, enterprises also get the most advanced protection on today’s market, controlled and overseen by the same centralized point of control that’s used to address NGINX Plus‘s other modern application delivery platform features.
While scrutiny and administration are central, application security is easily adapted for different service-types and sensitivities: more open for closed development activities like test labs or sandboxes but ratcheted up to protect end-users in live, production environments.
Controls are automated, so there’s a seamless integration of security right into the DevOps pipeline. There’s security at each stage of the development cycle, ingress control for entry into Kubernetes environments, and for total granularity, secure proxies on a per-service and per pod basis.
The same oversight for containers and monolithic apps extends to API gateways, so however your applications and services are addressed and accessed, the NGINX App Protect system acts as a virtual layer of protection.
With 85 percent (according to F5’s 2018 user survey) of applications running on a combination of monolithic and microservices, the complexity of security policy deployment becomes much simpler, and therefore quicker. Policies can be applied across the technology stack rather than patched-in after the fact, and sudden recalls and rollbacks due to security concerns become a thing of the past.
The pressures faced by development teams should not prevent the proper implementation of security, nor should the overall time-to-productions be lengthened. But understandably, missed KPIs can make colleagues feel they are working at crossed purposes and different rates.
With the NGINX App Protect platform, all SecOps and DevOps personnel will have a single goal, that of an agile and responsive IT function that’s able to quickly — and safely — bring new applications and services to market without compromise.
To learn more about the NGINX App Protect facility of the NGINX Plus offering, you can read more here. Development process streamlining has never been so secure.