DevOps ignoring security code quality

Research highlights the incongruous approach of code development and the business with regard to security.

  • Wednesday, 10th August 2016 Posted 8 years ago in by Phil Alsop
TVP Strategy (formerly The Virtualization Practice) reports that DevOps is failing to mitigate security flaws in code quality, in a finding from its current ongoing research on secure agile cloud development architecture and process. TVP Strategy’s research investigates how to add automated security to continuous integration and deployment without changing what developers do, thereby regaining code quality and improving DevOps.
 
This research provides a reference architecture that enables businesses to retain a grasp on code quality by advising on steps for maintaining code security. “In many cases, we have observed that DevOps is egregious at identifying security flaws in its penchant for rapidly releasing code,” commented Edward L. Haletky, CEO and Principal Analyst, TVP Strategy. “Our research provides best practices and a non-judgmental approach to code quality that delivers long-term business benefits.”
 
TVP Strategy has worked with DevOps domain experts, such as Andi Mann, to peer-review their research to ensure it meets the demands of both the business and development. “While DevOps helps drive agility, velocity, and more, it is often too easy for DevOps teams to overlook application security. So, I am excited that this research provides pragmatic recommendations on using data analytics to help ensure code quality and application security,” stated Andi Mann, Chief Technology Advocate, Splunk.
 
The research discusses four key areas:
·      Code quality metrics – Measuring the adherence of code to security, performance, and compliance policies using automated static and dynamic processes
·      Single pool of data – The business interprets the same data differently than development does, thus creating a dichotomy between development and operations. TVP Strategy suggests adopting a methodology that provides the same view in order to enable the same interpretation, therefore removing “finger pointing”
·      Breach detection – Knowing all the decisions made to push out a code change makes it possible to add data on these decisions to breach detection, aiding efforts to determine exactly what changed to allow the breach. This architecture shows where to place logging to capture these decisions, both human and machine
·      The cost to businesses of security flaws, such as API leakage – These costs can result in significant losses for businesses. The architecture shows how to feed costs and threats into automated continuous analytics