For this review, InfoZen was brought in to create a fully-end-to-end DevOps scanning solution using their InfoZen Cloud and DevOps Practice service. Even within our admittedly tiny test environment, the benefits of the InfoZen toolset and automatic processes were obvious.
DevOps, a combination of the words ‘development’ and ‘operations’, has come to mean a lot of different things. It can describe a movement, a cultural shift, or any new practice that emphasizes the role of collaboration and communication between software developers and other IT professionals, such as the system administrators who will be overseeing the operations and security of the programs that developers create. In general, DevOps also includes automation as part of its deployment to help speed things along.
It was not surprising that DevOps scanning tools made Gartner’s list of hot cybersecurity product groups, because as DevOps continues to evolve, it has taken on a greater role in terms of security. Within cybersecurity, deploying DevOps generally involves fixing errors and vulnerabilities in a program’s code while it is still being written.
Prior to DevOps, developers often would create a program, which could consist of thousands or even millions of lines of code, and then give it to IT teams to deploy. Then IT teams would be faced with dealing with the fallout from things like zero-day exploits, code vulnerabilities or even errors in how the program operated. Most of the time, code would then be sent back to the developers to be reworked and fixed, a lengthy process that might create even more errors or security vulnerabilities. This inefficient process also tended to hide cybersecurity vulnerabilities, which sometimes only came to light after an attacker exploited them.
Writing code using a DevOps process is different. Following those wise old sayings like “measure twice, cut once,” or “a stitch in time saves nine,” writing code using DevOps means finding and fixing errors as the program is being created — long before the deployment phase. In an ideal world, the final code delivered to IT teams for deployment is, thus, free from errors or vulnerabilities.
But achieving that level of success, where the final code is both secure and error-free, is not an easy thing to achieve. While various tools exist to handle various parts of the DevOps chain, it normally requires an experienced integrator to link them together, add automation, and keep everything running smoothly over time. For this review, InfoZen was brought in to create a fully-end-to-end DevOps scanning solution using their InfoZen Cloud and DevOps Practice service. The company is currently offering the same type of services for several federal agencies.
Putting DevOps scanning to the test
For this test, an extremely simple website was constructed to use as an example of a program or project where DevOps could be applied. In truth, the program was so simple that it was unknown if there would be any vulnerabilities lurking in the code. It basically asked users what they wanted for lunch and then gave several choices of restaurants in the area, displaying information like menu items for whichever one was selected.
As part of the InfoZen service, the company provides recommendations about which programs should be implemented as part of the new DevOps-based procedures. In this case, several were chosen including Atlassian Bitbucket for code versioning, Atlassian Bamboo for continuous integration and deployment, PHPUnit for unit testing and CheckMarx for static code analysis. A real strength of the InfoZen approach is that the best tools can be applied to the specific situation, and then integrated to create a fully end-to-end DevOps environment.
The first thing that was discovered was that the seemingly simple test program was vulnerable to a Java exploit. Sure enough, testing it out, an attacker could easily inject new code and create an alert pop-up on a user’s screen. The tools provided by InfoZen explained the problem, highlighted which lines in the code were responsible, and even recommended a fix.
That is a powerful tool, but InfoZen went beyond that, implementing automation so that any future errors were immediately flagged. As part of the new DevOps process, whenever new code was added to the program, such a new restaurant choice in this case, the code was automatically scanned, and the developers were instantly alerted if their work was creating a new security hole or code error. The entire process was recorded in case an audit was later required, which also enables supervisors to check the work of their mainline coders.
InfoZen can install their recommended tools and the automation tying them all together on local machines or in the cloud. Pricing uses a subscription model based on the number of users participating in in the DevOps environment. There are no restrictions on how much the subscribed users can use the tools, and training in the new DevOps methods and processes is also available.
Even within the admittedly tiny test environment, the benefits of the InfoZen toolset and automatic processes were obvious. Multiplied into environments with hundreds of developers or millions of lines of code, the benefits would only increase. DevOps, when deployed correctly and accurately using the InfoZen practice, can come a good deal closer to ensuring that no program is ever implemented with unknown errors or hidden security vulnerabilities. This would save a lot of time and potentially money for any organization that does its own coding, while also strengthening overall cybersecurity through automatic, DevOps processes