Virtualization Technology News and Information
DevOps Ignoring Security Code Quality
TVP Strategy (formerly The Virtualization Practice) reports that DevOps is failing to mitigate security flaws in code quality, in a finding from its current ongoing research on secure agile cloud development architecture and process. TVP Strategy's research investigates how to add automated security to continuous integration and deployment without changing what developers do, thereby regaining code quality and improving DevOps. 

This research provides a reference architecture that enables businesses to retain a grasp on code quality by advising on steps for maintaining code security. "In many cases, we have observed that DevOps is egregious at identifying security flaws in its penchant for rapidly releasing code," commented Edward L. Haletky, CEO and Principal Analyst, TVP Strategy. "Our research provides best practices and a non-judgmental approach to code quality that delivers long-term business benefits."

TVP Strategy has worked with DevOps domain experts, such as Andi Mann, to peer-review their research to ensure it meets the demands of both the business and development. "While DevOps helps drive agility, velocity, and more, it is often too easy for DevOps teams to overlook application security. So, I am excited that this research provides pragmatic recommendations on using data analytics to help ensure code quality and application security," stated Andi Mann, Chief Technology Advocate, Splunk.

The research discusses four key areas:

  • Code quality metrics - Measuring the adherence of code to security, performance, and compliance policies using automated static and dynamic processes
  • Single pool of data - The business interprets the same data differently than development does, thus creating a dichotomy between development and operations. TVP Strategy suggests adopting a methodology that provides the same view in order to enable the same interpretation, therefore removing "finger pointing"
  • Breach detection - Knowing all the decisions made to push out a code change makes it possible to add data on these decisions to breach detection, aiding efforts to determine exactly what changed to allow the breach. This architecture shows where to place logging to capture these decisions, both human and machine
  • The cost to businesses of security flaws, such as API leakage - These costs can result in significant losses for businesses. The architecture shows how to feed costs and threats into automated continuous analytics

The compilation of research is ongoing, but it has already been the subject of a BrighTALK webcast entitled Securely Implementing Cloud Native Applications and will also be discussed on a forthcoming BrightTALK webcast entitled Deliver Applications Faster, Safer, and Better with Data-Driven Decisions. Commentary has also started on the TVP Strategy site. The final version one paper will be launched between VMworld Las Vegas and VMworld Barcelona.

Published Tuesday, August 09, 2016 8:13 AM by David Marshall
Filed under:
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2016>