How to push security earlier into the dev process

04.11.2015
A new crop of products is emerging that aim to implant security best practices and compliance checks as early and often as possible when new infrastructure is spun up in the cloud or when new applications are launched in a rapid development environment.

The idea behind these products is that security should be incorporated into the entire life cycle of resources being used or applications being developed. Some vendors contend that too often security assessments are either not performed, or they’re done too late in the process of managing resources and apps. Tools from companies like Amazon Web Services, Microsoft and Chef are all aiming to ensure security best practices are automatically enforced as early on in the process as possible.

+MORE AT NETWORK WORLD: Vote: Which company has a better strategy Dell buying EMC or HP splitting up | HP just quit the public cloud, now what +

Today Chef – the company that is best known for its automation software scripts – announced a new product named Chef Compliance. The service allows users to write a short script that will run tests to ensure various security best practices are being followed.

For example, a common one is to use a key-based authentication for access to a server or virtual machine; that’s opposed to using a password-based authentication, which could be more easily compromised. Using Chef Compliance, users can set up a script that automatically tests each new server or VM that is spun up to ensure that key-based authentication is being used. The system can be configured to send an alert if a server is found to be out of compliance with the test. There are a variety of different tests Chef Compliance can be configured to run on both applications and infrastructure. “The goal is to move from a moment in time security to continuous compliance checks of security,” says Chef’s Vice President of Business Development Ken Cheney. Compliance is offered as part of a bundle of premium features from the company, which runs $127 per node.

AWS announced a similar service at its re:Invent conference this fall. Amazon Inspector is an automated security assessment service that scans for security vulnerabilities or deviations of best practices. Users deploy an Inspector agent in their AWS environment and customers to choose from a library of tests Inspector can run on the environment. Inspector will create a prioritized list of security issues found, plus recommendations of how to fix them. It can be configured, for example, to test to ensure the most up-to-date and patched versions of software, such as operating systems are being used. It can be configured to test all Elastic Compute Cloud (EC2) instances to ensure the settings for who can access it and what it can be used for are all in place. Inspector is currently in a limited preview.

Shortly before AWS re:Invent where Inspector was launched, Microsoft announced a new Security Center for its Azure public cloud, which allows similar security assessments to be performed. Products like Microsoft’s Security Center and Amazon Inspector integrate with products from third-party vendors like Evident.io and Trend Micro, which do similar, and in some cases deeper, security testing.

“We’ve long talked about the importance of baking in security by default, rather than bolting on later,” 451 Research Senior Analyst Adrian Sanabria wrote in an email. Traditionally this has been done by getting a security team involved in software development projects as easy as possible. The big change recently is that the process of integrating security into the application development process can now be automated. “With continuous delivery models, where software is sometimes released daily or several times a day, this is an absolute necessity.”

(www.networkworld.com)

Brandon Butler