Professional Documents
Culture Documents
IN PRACTICE
The Three Faces
of DevSecOps
DevSecOps is here to stay, as
more vendors use the term.
But what is it? A security
solution that supports DevOps
technologies, or adapts to
DevOps methodologies,
or embraces the DevOps
philosophy?
A Security Approach
for a Cloudy World
Does your approach to
application and data center
security change when adopting
cloud services? InfoQ reached
out to Pete Cheslock, from
Threat Stack to learn more.
Automate Security
Into Your DevOps Pipeline
·r,f
a r
11·
a
DevSecOps
IN PRACTICE
IN THIS ISSUE
DevSecOps
by Guy Podjarny, cofounder at Snyk.io
DevSecOps is here to DevSecOps is a hot buzzword I hate it because, like all buzz-
stay, as more vendors these days, and I love it – as well words, it doesn’t properly reflect
as hate it. the high complexity behind this
use the term. But
journey. Security is a broad topic,
what is it? A security I love it because it embodies a spanning infrastructure, applica-
solution that supports goal the app sec industry, my- tion code, network stacks, third
DevOps technologies, self included, has been trying party vendors, and, of course,
or adapts to DevOps to accomplish for years – get- people. Changing how we apply-
methodologies, or ting developers to own security. security involves a lot of detail,
embraces the DevOps This simple buzzword gives our but buzzwords don’t have room
philosophy? mission a name and helps its for such nuance. Inevitably, dif-
momentum, driving it towards ferent people use it for different
becoming the norm. meanings – or at least empha-
size different parts.
8
The InfoQ eMag / Issue #70 / April 2019
This isn’t surprising, and many these offers new functionality supporting containers out of the
buzzwords have a similar effect. and introduces new technology box and requiring them to adapt.
More specifically, if you get three stacks, which in turn have specif- A good example of that is Trend-
experts in a room you’ll get 4 ic security needs. Micro’s Deep Security product,
different interpretations of the which added container support
term DevOps, and 5 of the term The first step in supporting these in version 10 with a new split of
Cloud. While we’ll never get to a technologies is taking an existing responsibilities between the the
single definition, writing down the security product, which is used host machine and the contain-
different points of view still helps, primarily on older stacks, and er. This change was enough for
as they give us a way to classify adding the technical components them to claim participation in the
what someone means when they necessary to use it in a DevOps DevSecOps movement, although
use the term. environment. These are mostly the product is still primarily used
minor adaptations of existing in traditional security context.
Looking at its different uses, I see tools - as opposed to substantial
three primary meanings attribut- change in the way the tool oper- One step further down the path
ed to the term DevSecOps. These ates - simply meant to support of securing DevOps technolo-
views represent different mile- the new surroundings. gies are security solutions that
stones in the DevSecOps journey address the newsecurity needs
and align to common interpre- Let’s take container security as these technologies introduce.
tation of the term DevOps itself. an example. Symantec, McA- Examples here include Cloud-
Let’s go through each and dig fee, TrendMicro and others offer Checkr and Evident.io inspect-
one layer deeper into this won- endpoint security solutions ing cloud configurations to find
derful and horrible term. which include anti-malware, storage buckets inadvertently left
monitoring for malicious network publicly accessible (and other
DevSecOps as “Security for activity and more. These mature issues, as can be seen in the
DevOps Technologies” products have long worked for figure below), or Snyk looking for
Perhaps the most literal transla- servers and virtual machines, vulnerabilities in open source li-
tion of DevSecOps is to describe and conceptually apply to con- braries. Handling newer technol-
security solutions for the wave tainers just as much. However, ogies requires novel thinking, and
of technologies DevOps brought the division of controls between is often harder for incumbents
along. Technologies like cloud, the container and the machine who are already predisposed
containers and serverless, to hosting it, along with various and structured to older ways of
name a few, are key players in other technical differences, thinking. It is therefore typically
the DevOps movement. Each of prevented these products from the domain of startups, with big
9
The InfoQ eMag / Issue #70 / April 2019
companies stepping in via acqui- In both cases, the term audit” in the midst of the release
sitions as opposed to building a DevSecOps refers to securing process is no longer acceptable,
solution from scratch. DevOps technologies. That said, requiring strong automated secu-
some of these solutions natu- rity tests in the pipeline instead.
Containers exemplify this sce- rally bleed into the way we ap- This demand for automation
nario well. The fact the isola- plyDevOps too, which gets us to drew attention to static applica-
tion between the host and the the next meaning… tion security testing(SAST) tools,
container isn’t perfect created a but these took too long – often
new risk - having malicious code DevSecOps as “Security for hours – to complete a single
running in a container break out DevOps Methodologies” code scan, which isn’t viable in
of the container sandbox and Beyond its technologies, DevOps a frequent build environment. To
impact the host machine. Since drove adoption of powerful new adapt, most SAST tools intro-
the same physical host often methodologies, such as contin- duced a concept of incremental
runs containers at different levels uous delivery (CD) and micros- scans, only testing the code that
of sensitivity or even belonging ervices (followed by serverless). changed. These scans complete
to different owners, sandbox These techniques lead to faster faster and can therefore fit inside
escaping is a real and immediate development and more granu- the pipeline. Once again, these
threat. This and additional new lar components, both of which tweaks are often featured as a
risks introduced by containers quickly break existing security demonstration of DevSecOps
opened the door to startups methodologies. prowess.
focusing specifically on container
security, such as Sysdig, Aqua Once again, these new approach- While such adaptations are im-
and Twistlock, who harden the es require an evolution for exist- portant, they’re often not enough.
container and flag attempts to ing players. Let’s look at CI/CD as Some new methodologies don’t
break out of it. These startups an example. just change the technical setup,
typically identify themselves as but also break core concepts
DevSecOps companies through The adoption of continuous existing tools rely on, requiring a
and through. delivery means “stopping for an rethinking of the entire product
10
– again a realm where startups Beyond overcoming the chal-
11
interpretation of DevSecOps than footsteps. To truly address secu- thus the less likely they are to do
The InfoQ eMag / Issue #70 / April 2019
12
This is no longer a theoretical op-
13
The InfoQ eMag / Issue #70 / April 2019
New approaches in
security are needed to
address the challenges
of DevOps. They
Five Lessons must incorporate
practices that rely on
from DevOps
auditability, and
mirrored systems.
As DevOps becomes increasingly Netflix, Google, and Amazon are quickly deliver cutting-edge, cus-
crucial to the modern enterprise, examples of high-performing, tomer-delighting products. At the
security professionals must ask agile organizations that consid- same time, this creates challeng-
themselves what they can learn er DevOps to be foundational es for other organizational func-
from this culture shift. DevOps is to the success of their digital tions such as security. Delivering
a blend of organizational ideas, businesses. distributed applications more
processes, and software tools quickly and easily substantially
that has enabled some of the Companies with effective DevOps increases risk to businesses that
world’s largest companies to practices understand that in cannot secure them at the same
improve productivity, achieve the technology-driven, winner- speed at which they are deployed
faster time to market, and de- take-all, competitive landscape, and scaled. Security workflows,
liver higher-quality products a business’s success often tools, and operations must
that impact their bottom lines at depends on its ability to contin- change to keep up.
blazing speeds. Enterprises like uously learn, innovate, and more
14
More recently, the need to bal- teams favor applications that are
15
high levels of automation and reduce security incidents. Relying settings can highlight anoma-
The InfoQ eMag / Issue #70 / April 2019
scalability that are designed to on traditional, fragmented, manu- lous or malicious patterns that
make infrastructure fully pro- al security processes is no longer reflect live attacks or indicators
grammable. For example, Netflix sufficient. of compromise. When detecting
has focused on automating the such activity, security teams can
company’s entire software-re- Use standardized configurations treat infrastructure as immutable
lease platform so that it can In DevOps, teams take advantage to quickly stop impacted sys-
scale on demand to thousands of of consistent baseline config- tems and launch new, unaffected
servers in minutes, ensuring that urations to identify operational ones without having to deal with
customers always have access issues more easily. Teams pack- the complexity of patching live
to their content. Automation has age “infrastructure as code” in systems.
the added benefit of reducing the the form of base images, applica-
likelihood of manual operator tions, and dependencies needed Maintain an auditable “source of
error, which is a frequent source to run services. This ensures truth”
of costly service interruption or that systems are identical and DevOps culture helps foster
downtime. reproducible and drives better greater collaboration across
operational hygiene. Monitoring teams by using techniques
Security lessons: Security’s for deviations against stan- like revision tracking and ver-
mandate is to mitigate the risk dardized configurations allows sion control to maintain full
and impact of attacks on the operators to quickly identify and transparency, improve change
business. Achieving automation troubleshoot issues. Treating management, and streamline
enables faster time to detection, infrastructure as immutable, so system recovery. Modifications
which gives security teams more that running systems are nev- to configurations are recorded to
time to optimize response and er reconfigured, is increasingly capture details such as when the
recovery. As new applications becoming a best practice that change occurred, who requested
are continuously deployed and is facilitated by the adoption of the change, and the impact of
scaled at the speed of the cloud, application container technol- the change. Using this approach,
attack surfaces can scale and ogies such as Docker. Running development and operations gain
change just as constantly and systems are simply replaced with deeper visibility into the complete
quickly. Thousands of micro- new ones that incorporate any lifecycle of both applications
services applications may be desired changes. This approach and infrastructure, which helps
launched or destroyed within the allows teams to easily stop prob- facilitate better cross-function-
span of a few seconds, leaving lematic systems and relaunch al communications and greater
gaps in visibility and data collec- into known, good states at the accountability.
tion. Security tools must incorpo- same time.
rate automation and scalability to Security lessons: Security teams
keep up with these new appli- Security lessons: Security teams should ensure that they imple-
cation delivery models in order can similarly implement ap- ment tools to collect compre-
to minimize potential attacks proved security configurations, hensive data from all systems to
while preserving existing devel- fingerprinting, and profiling to maintain an actionable “source
oper toolchains. Automating the reveal potential issues. These of truth” that is readily accessi-
runtime security lifecycle also standardized configurations are ble. Currently, most datasets are
mitigates the likelihood of con- expected to conform to normal either siloed or aggregated in a
figuration errors that attackers system activity. Runtime activ- centralized SIEM system without
can potentially exploit, helping to ity that diverges from normal the necessary modeling required
16
to make them actionable. Even now use dual active/passive
17
The InfoQ eMag / Issue #70 / April 2019
Pete Cheslock
InfoQ: Have the on-demand, to computing resources their in-
As the head of Threat
self-service capabilities of cloud ternal technical teams are unable
Stack’s operations and
support teams, Pete IaaS forced a change an organi- to help them with. Now devs and
Cheslock is focused
on delivering the
zation’s security approach? If so, even ops teams can circumvent
highest level of service, how? security policies and leave their
reliability, and customer
satisfaction to Threat security teams behind to clean
Stacks’ growing user Pete Cheslock: Absolutely. up the mess.
base. An industry
veteran with nearly 20 Before, security teams could tie
years’ experience in themselves into the procure- InfoQ: In past talks, you’ve
technical operations,
he understands ment process to ensure that all covered how companies build
the challenges and
issues faced by
systems and applications would security into their process from
security, development, meet standards before being the start. Does that practice look
and operations
professionals and how deployed and consumed by different if your company already
we can help. Prior to customers. But now, anyone at has a dedicated information se-
Threat Stack, Pete held
senior positions at the company can go and create curity team?
Dyn and Sonian, where an account for a cloud provider
he built, managed,
and developed and start deploying their ser- Cheslock: In many ways, the
automation and release
engineering teams and
vices. Commonly referred to as steps to bring security into an
projects. “shadow IT” — we’ve seen count- existing DevOps process at a
less companies where they will small company can work at a
have dozens or hundreds of AWS big company as well. The goal is
accounts as a way to get access working with your security teams
18
The InfoQ eMag / Issue #70 / April 2019
to involve them in the tooling many news reports of critical can get tools such as CloudTrail
and workflows your dev and ops vulnerabilities in closed-sourced to audit all the API calls on your
teams are already using (like software and hardware as well. account and you can use AWS
continuous integration and deliv- Since no one is safe, leverage Config in order to audit your
ery). Another goal for companies MITRE and the National Vulner- systems and ensure they meet
that don’t have a dedicated secu- ability Database to help people your compliance rules. Finally,
rity team, or have no idea where understand their risk, help them you leverage the EC2-VPC (which
to start, is to start small and not prioritize their security updates, is default for all new AWS cus-
attempt to boil the ocean. and finally talk about the risk and tomers) to segment your sys-
reward of nightly security up- tems behind private non-routable
InfoQ: What are areas where dates and what it means to your networks and use network ACLs
technical staff take the cloud for business. to restrict access. In many cases,
granted and assume that their the tools are there to be more se-
workloads are inherently secure? InfoQ: Conversely, are there cure running in the cloud, users
native cloud capabilities that just need to learn what they all
Cheslock: Many times, people companies *should* use that re- are.
think that using open source lieve them of a particular aspect
means their code is secure. As- of security? InfoQ: Should companies wean
suming that “many eyes makes themselves off perimeter security
secure code”. That concept has Cheslock: The great news is that as a dominant application securi-
been proven wrong time and time cloud providers like AWS are ty strategy, and if so, how?
again, with many vulnerabilities doing great things in the security
in core pieces of open-source space to help their users under- Cheslock: When moving to the
technology. Closed-sourced ven- stand better what is going on. cloud, you can still attempt to
dors are no safer, as we’ve seen If you are running on AWS, you maintain a perimeter by routing
19
all your traffic through your inter- InfoQ: Do your security recom- Cheslock: Often, when compa-
The InfoQ eMag / Issue #70 / April 2019
nal data centers, but eventually mendations change if someone nies run inside their own data
you may move off your internal moves up the stack from bare centers on networks they own,
data centers entirely so you have metal or virtual cloud servers up they will run many of their ser-
to be prepared. The reality is to PaaS or functions? vices likely not thinking about
that many companies use end- encryption. This assumes that
point security tools to track and Cheslock: Providers such as physical security can help them
monitor their users’ laptops and Heroku, Google Cloud Functions, beat this problem. When moving
mobile devices. We need to take and AWS Lambda really make to the cloud and shared infra-
the same tactic with our servers the concept of securing your structure, encrypting your data at
as well. Every server running systems more interesting when rest can be critically important to
code is an endpoint, and enabling you don’t have any servers to run ensure data is not leaking due to
a continuous security-monitoring your code on. These are often bugs or errors with the provider.
tool can help you track and iden- referred to as serverless — your Additionally, when running on
tify more than just zero-day ex- code executes inside a provider someone else’s infrastructure,
ploits. They can help you identify on systems that you likely don’t you need to ensure you are using
internal bad actors who might have any control over. In many TLS to secure your services
be stealing intellectual property ways, this can help make you internally, similarly to how we run
using valid credentials. The risks more secure as you are reduc- SSL/TLS on our external web-
to a company come from inside ing the number of endpoints sites. Many tools make this very
often as much as from remote you need to secure. But in the easy to do nowadays.
attackers. end, this pushes your security
challenges over to the provid- InfoQ: Is it a false choice to de-
InfoQ: What security aspects ers themselves. AWS uses their cide between speed and safety?
should NOT be lifted and shift- Identity and Access Management
ed from on premises to a cloud (IAM), meaning you are now in Cheslock: In the past, we used to
environment? full control of providing access to have to choose between speed
your functions. You need to en- of deployment and the safety of
Cheslock: We mentioned this a sure the security is as least-priv- deploying and managing that
bit in the previous section, but ilege as possible. Additionally, code. That was the pre-DevOps
edge-based network-securi- your code needs to get to the conversations. How can we both
ty-monitoring tools. The chal- provider somehow, which means move fast and stay highly avail-
lenge you can get into is in the you’ll be running systems that do able. Well, in many ways those
cloud every one of your systems the continuous integration and are now considered solved prob-
could be acting as an endpoint, deployment — that is, where add- lems. We are now at the point of
and the edge of the network ing in security testing and static asking the same questions in the
could be wider than you would code-analysis tools at the build DevOps and security spaces. I
normally experience in a single and deployment side. think using many of the tools and
datacenter. The challenge comes technologies that enabled devs
into play when companies go InfoQ: How does data security — and ops to work better together,
multi-cloud — now you need to including access control, encryp- we can tie security into those
deal with disparate networks tion at rest and in transit, change same processes and procedures
and providers that in many ways data logging — look different in a and move quickly while increas-
don’t natively integrate. services world? ing our security posture.
20
SPONSORED ARTICLE
3 DevOps Security
Security: Too Slow to Join the Secure DevOps: Where DevOps and experts need to adjust them-
DevOps Squad? and Security Can Play Nice selves to a new organizational
Secure DevOps is a relatively new Over the past few years, more structure, new processes need
approach, and up until recently, and more enterprises and orga- to be adopted, new skills need
not many people thought it was nizations are making a concerted to be developed, and new tools
a good fit. Even security experts effort to shift security practic- need to be integrated. As compa-
point out that incorporating es left and implement security nies continue to adopt a secure
security people into the DevOps throughout the DevOps cycle, DevOps approach, they should be
cycle can be challenging. ensuring that it doesn’t impede aware of the common challenges
time to market. management teams face as they
Security expert Michele Chubir- set out on this journey.
ka says in her blog that, “While According to recent DigiCert re-
many security people have a search, organizations are already Here are a few barriers organiza-
good understanding of how to invested in secure DevOps. Re- tions face on the road to ensuring
find application vulnerabilities search results show that 49% of an efficient and innovative secure
and exploit them, they often don’t the organizations surveyed said DevOps cycle:
understand how software devel- that they are in the process of
opment teams work, especially integrating security with DevOps #1 Teamwork Makes the Dream
in Agile/DevOps organizations. and that another 49% said that Work
This leads to inefficiencies and a they already completed their Adopting a secure DevOps
flawed program.” DevOps security integration. approach requires teams and ex-
perts that aren’t used to working
This led to a situation where the Ensuring a Smooth Ride: 3 together to cooperate, creating
security team was essentially out DevOps Security Barriers & How and maintaining a development
of the DevOps picture, unable to to Overcome Them lifecycle that delivers quickly and
have a real impact on the final Change is never easy for an securely.
product in an efficient manner. organization, and managing a
secure DevOps cycle is quite a
READ THE FULL ARTICLE
transition on many levels. Teams
21
Containers face security risks at every stage, from building to shipping to
The InfoQ eMag / Issue #70 / April 2019
Four Steps to
Continuous Security in
Container Deployment
by Fei Huang, Co-Founder & CEO of NeuVector
Containers face numerous se- containers forced to eat up Apache Struts exploit used in
curity risks at every stage of the system resources to crash other Equifax breach
deployment process, from build- containers, and plenty others. Apache Struts is a widely used
ing to shipping to the run-time framework for creating web ap-
production phases. These threats Many of these attacks start with plications in Java. It was initially
make achieving continuous previously undetected vulnera- believed that attackers used a
security essential to the integrity bilities, which can lie dormant for newly published Struts vulnera-
and safety of containers. Howev- years. Attackers exploit these to bility, CVE-2017-9805, to access
er, often these security measures gain a foothold, and then expand the Equifax data in 2017 but an
are skipped or overlooked in the into other hosts or containers. Equifax announcement indicated
rush to get the CI/CD pipeline
flowing faster. Many businesses
are paying the price for imple-
menting poor security years ago.
Hopefully, these mistakes won’t
be repeated in the migration to a
containerized environment.
22
that it was vulnerability CVE- SambaCry is a seven-year-old Linux Stack Clash
23
Here are the measures you can
The InfoQ eMag / Issue #70 / April 2019
24
Step 2: Ship phase Step 3: Run-phase preparation
25
Step 4: Run-phase production Conclusion
The InfoQ eMag / Issue #70 / April 2019
Run-time in production environments is the most crucial phase when With the right strategy in place to
it comes to container security. This is the battleground where hackers integrate security tools and auto-
will attempt to exploit any vulnerabilities they’ve discovered, and se- mate policy, continuous contain-
curity efforts must detect and thwart those attempts. Hacker actions er security that offers protection
will include a kill chain, the series of events that occur as the hack- throughout the container deploy-
er moves from the host or another container to the targeted exploit ment process can be achieved.
point. This chain of events often presents several chances to detect
and prevent the hacker’s activities with these techniques:
26
The InfoQ eMag / Issue #70 / April 2019
Developing a Secure
and Scalable Web
Ecosystem at LinkedIn
by Mira Thambireddy, information security engineer at LinkedIn
and James Baker, Senior Software Engineer at LinkedIn
LinkedIn’s hyper- Between 2008 and 2014, LinkedIn’s global member base grew from
growth placed strains 16 million members to 330 million members, straining our organi-
zation’s infrastructure. As our member base grew, we needed more
on the organization’s
insight into how our members were using our platform and what
infrastructure. A product lines we could introduce to best serve them.
new release model
was instrumental Scaling through hyper-growth
to scale and led to The company produced numerous internal, web-based applications
increased code quality, that engineers, product managers, executives, and operations teams
security, and member used to perform a variety of crucial tasks such as A/B testing, appli-
satisfaction. cation deployment and lifecycle management, reporting, analytics,
and more. Teams also undertook new approaches to solve technolo-
gy problems, introducing and vetting a number of different languages,
frameworks, and tools. Such growth and experimentation resulted
in a lack of uniformity among technologies and solutions between
27
groups, which created strain as for developer ergonomics and timed with product manag-
The InfoQ eMag / Issue #70 / April 2019
engineers were hired to fill roles satisfaction. ers and marketing partners to
within emerging teams. coincide with their plans for new
This growing number of varying feature releases. It wasn’t easy
Languages such as Python, Ruby, technologies also introduced a to iterate on member feedback
Java, Scala, JavaScript, and security debt over time. Having within this infrequent cadence of
others emerged in various or- a large number of frameworks, 12 releases per year.
ganic efforts or acquisitions that languages, and components
peppered the ecosystem with in- made it increasingly difficult to Further, prevention and remedi-
compatible but useful solutions. assess the security posture of ation of potential security vul-
Mind you, this exploration was a the applications built on top of it. nerabilities strongly depended
healthy and intentional endeavor Additionally, this undermined the upon the deployment and release
to find the best long-term solu- efforts to move towards releas- process. It was imperative that
tions for problems we sought to ing a common framework-level once a fix was identified and in
solve. Teams were encouraged to security solution to eliminate place that we get it into the pro-
seek out technologies that they certain classes of vulnerabilities. duction environment as quickly
felt might benefit the organiza- as possible. This often meant
tion and this exploratory process The impact of a slow deployment that security fixes were hotfixed
was instrumental in helping us process against the release cycle instead
define what we would lean on, Around this same time, our of incorporated within it. It is
long term, as a scaling and nota- complex infrastructure for the generally good practice to deploy
ble organization in Silicon Valley Linkedin.com website alone sur- a security patch in isolation —
and across the globe. passed 3,000 submodules across i.e., not to add other, non-security
more than 6 million lines of code, bug fixes along with a securi-
By mid-2015, several dozen all within a single repository ty update. This is primarily to
active projects had surfaced with trunk. This trunk approach was reduce the chances of re-intro-
various implementations, frame- governed by a tedious monthly ducing a security vulnerability if
works, and libraries. Because of release cycle that encompassed the patch is rolled back due to a
the varying approaches, teams hundreds of engineers across non-security update that breaks
struggled to share code and, various teams. Prior to each functionality.
though repositories and arti- release, a release candidate (RC)
facts were in place, the imple- was selected and handed off to A less obvious side effect of
mentations themselves lacked our testing teams for four days of hyper-growth, a long release ca-
uniformity. In the case of JavaS- manual regression testing. If they dence, and a mixture of technol-
cript, some used a composite of found any bugs, we made hot- ogies was an emerging “blocky”
libraries and micro-libraries like fixes to the RC to avoid disrupt- and inconsistent user experience
jQuery and Backbone.js; some ing the deployment. Engineers (UX). As LinkedIn began to em-
teams used popular frameworks rushed to get their code checked ploy user research in the product
while others rolled their own. A in before the deadline to avoid development process, we found
growing uncertainty loomed over having to wait an entire month to that many users felt the site was
how we would approach building deliver their features or bug fixes disconnected and that one page
front-ends for applications, how to members. would look different from anoth-
developers could share common er. Because teams were releasing
logic across teams, and how we Such a serial and time-sensitive so far apart in cycles, the feed-
could streamline best practices process had to be meticulously back loop for UI changes was
28
The InfoQ eMag / Issue #70 / April 2019
Figure 1 / Our former deployment process.
29
placing a strong and necessary emphasis on test-
The InfoQ eMag / Issue #70 / April 2019
30
The InfoQ eMag / Issue #70 / April 2019
Figure 3 / Pre-commit hook tool for scanning for potential XSS.
31
well, allowing the developer to focus on more interesting areas ensuring broader coverage and
The InfoQ eMag / Issue #70 / April 2019
focus more on writing code and of the application and underlying faster turnaround time for the
verifying its functionality in the framework and provides us more assessment of our applications.
tests as opposed to just in the time to research some in-depth
browser. vulnerabilities in those areas. An established approach to
security assessment is through
Security in depth As we added API endpoints to the the adoption of security in depth.
At Linkedin, our security team application, we needed a security We do not want to be in a sit-
performs in-depth design reviews analysis to prevent vulnerabili- uation where the failure of one
including hands-on penetra- ties from emerging. Previously, particular security control results
tion tests for all member-facing this process was operationally in the failure of the entire chain.
products, features, and func- cumbersome, given the number We love to give developers the
tionalities. We are also heavily of routes (paths to resources or tooling they need to avoid intro-
invested in security automation. URLs) per application and the ducing security vulnerabilities.
However, with the 3x3 deploy- number of applications in the Our product-security team built
ment architecture, we couldn’t system. Our security team built tooling to scan the code changes
possibly scale manual penetra- tooling to detect and notify us for potential vulnerabilities. If the
tion test for all builds, resulting in of any new changes made to tooling detects any anti-patterns
a decision to double down on se- an application, broken down by or discouraged practices, it noti-
curity automation. Once we find the nature of change (addition fies the developer and suggests
a class of vulnerability that can or deletion of an external API code fixes to allow the developer
be detected with a high level of route, modification to key code the opportunity to properly ad-
confidence, we build automation of the application, etc.) to assist dress the problem. Once past the
checks for that class. Our part- in the evaluation of each such code review process, the tool-
ner product-security engineering commit to the application. This ing again analyzes the code for
teams have helped in building, let us determine the state of an changes and if it finds a potential
maintaining, and scaling such application since the last review. vulnerability, it rejects the code
automation. This allows us to This allowed for targeted reviews, at the pre-commit stage of the
32
deployment pipeline, through the but is also scanned with linters an organization and has ushered
33
InfoQ @ InfoQ InfoQ InfoQ
Curious about
previous issues?
This eMag explores how In this eMag covering .NET This eMag will inspire you
Kubernetes is moving from Core, we will explore the to dig deeper into your
a simple orchestration benefits of .NET Core and systems, question your
framework to a fundamental how it can benefit not only mental models, and use
cloud-native API and traditional .NET developers chaos engineering to build
paradigm that has but all technologists that confidence in your system’s
implications in multiple need to bring robust, behaviors under turbulent
dimensions, from operations performant and economical conditions.
to software architecture. solutions to market.