Addteq's Founder, Sukhbir Dhillon, had the opportunity to guest speak during Electric Cloud's web series, Continuous Discussions (#c9d9). This week's subject was DevOps and Security. See the link for a full recap and to learn more about Continuous Discussions.
Continuous Discussions (#c9d9) is a web-series of community panels about Agile, Continuous Delivery and DevOps. Continuous Discussions is a community initiative by Electric Cloud, which powers Continuous Delivery at businesses like SpaceX, Cisco, GE and E*TRADE by automating their build, test and deployment processes.
During the discussion, Sukhbir and the other panelists were asked the main question that generated the episode's discussion: "How do you secure your code, your environments, your processes, improving visibility and compliance within a DevOps framework?" From there the discussion took off and each panelist had their opportunity to express their interest, or negative outlook, on a particular subject.
One of the first and most important steps of securing your code is centralizing your libraries. Teams should realize that running code through security from hundreds of libraries is a lot harder and way more time consuming then running code through security from one library.
Sukhbir mentions that "...if the libraries are not coming from a common central location, where you author the security rules, you will always have these problems."
Sonatype Lifecycle helps standardize your libraries. Running your libraries through a product like Sonatype Nexus, saves time by already performing the necessary security functions configured. If all libraries are coming from one centralized location, and then they are run through one security platform with rules specified already, everything is already automated for you.
Securing your environment can mean many different things to different people. There is one thing that can help all teams secure their environment. If your team integrates all of their systems together, by having one password for all of your applications and systems, there will be a single complicated password instead of too many. Centralizing all of your password storage to one area, is a DevOps approach to properly securing your environment. Sukhbir suggested updating your password policies by, "using a Docker based deployment system, so your team has the read-only artifact which cannot be modified, which means your environment is secure from that perspective, and your team can use a variety of other tools like Puppet, Chef or Ansible, which manage the changed objects, and avoid using crazy amounts of passwords, which is why people usually put them on sticky notes."
The last part of securing your environment and your code seems like somewhat of a no brainer. At Addteq, the developers take turns hacking their own code. Meaning, the team works together, once a code is all set but before it is merged, to hack that code to find any security issues, loopholes or hidden problems. "We simply tell everyone that whoever finds the most vulnarbilities in a code, they get rewarded. We bring pizza, beers and everyone is happy that they are trying to do something different," explains Sukhbir.
This piece of hacking code is something that Addteq has noticed helps the developers create stronger code. No one wants their code on blast the next time we decide to internally hack! Stronger code equals less security issues.