Configuration & Security Management for DevOps

Posted by Mike Baukes

Configuration testing should not only be an essential step in the overall development process, but also important in the process of installation of new apps for use on web and application servers. Without proper testing, apps can often fail or be open to vulnerabilities. Exposure to attack by hackers or viruses can lead to needless expenses and excessive time spent correcting these problems. It is not unusual for app developers to overlook the need for configuration testing, because they think that using automated methods like Chef, Puppet, or other systems to test the deployment of their products, will work just fine. They feel that by using these fully automated processes, they can test consistency, reproduce outputs adequately and determine if things are working as predicted or not. This kind of thinking can delay a timely product delivery, produce unnecessary costs and create additional workloads to address vulnerabilitiesthat can occur later in production.

Why Automated Testing Isn't Enough

Automated test suites are just that -- automated. These tools are generic and are not designed to really know your product or actually be able to detect flaws based on any problems that might occur. These automated test methods lack the ability to emulate different changes that might show up that are pertinent to your particular app and configuration. Problems can occur due to firewall changes, security configuration changes or from patch code changes that are implemented as a quick fix to a problem.

The whole process of developing a software app requires complex and time-consuming processes like planning, building, testing, and deploying your product. One of the most important aspects of development is security testing during the deployment stage. Traditional means do exist to test authentication and authorization techniques, along with password protection, on the front end. Developers may have the knowledge of what security needs to be implemented and tested on the initial source code for the application, but they may not have the necessary knowledge for testing the application under a complete integrated system or operational environment. For example, they may not have knowledge about a server that hosts the web application, or whether a valid SSL certificate is required for a secure configuration, or how a change to firewall might effect security concerns. Testing configuration issues is a major characteristic of security testing and should be implemented to prevent potential attacks.

Case for Everyone to Be Part of the Process

Even the most sophisticated security tools cannot compete against an experienced security tester, someone who knows the security issues for the system including the root cause of the security breach, testing technique to find the cause, remedies or countermeasures necessary to fix it. Using someone or a method that doesn't test or know your security issues will only result in giving you a false sense of security.

For example, when a developer issues a patch to solve a coding problem, how do you know that it is clear how to use the patch, whether the patch is easily accessible to be implemented or how the patch effects other components? Often these patches or changes are made and fail to be readily communicated to others or never implemented successfully. Configuration testing ensures that all changes are readily accessible, easily integrated with current systems and requirements and that everyone involved in the process is kept up to date at all times.

Each Team Has Its Place in the Process

Your teams should work independently using their skills in the various stages by offering inputs about what they know best. The development team should concentrate on the build for the application; while security team should focus on security testing and your operations teams should be responsible for compliance and validation process. By implementing testing methods, where everyone has a say so in the process that they have full access to, bugs can be eliminated and changes can be implemented smoothly for their particular area of responsibility. When configuration and security issues arise, the development team should not be required to learn new code or test new frameworks. The security team can play an important role in protecting the contents of the site and can be responsible for requirements for the web server or application server configuration. The system administrator has the necessary knowledge to know how a server should be configured and the common guidelines which should be taken into account. When this knowledge is applied early in the process, problems and vulnerabilities can be addressed early on and can often cost less to implement.

Last But Not Least: Need for Sharing

Teams will be able to collaborate on their configuration testing ideas and share in the individual and overall configuration testing responsibilities. Everyone will benefit; duplicate efforts are eliminated, systems configuration is defined and information readily documented, communication and collaboration are readily improved, and time and money spent are reduced to achieve efficient results with each change implemented. Using configuration testing ensures that adequate communication, monitoring, and documentation of the app development is readily available to all team members. Communication between teams will foster thinking "outside of the box". Normally, use cases for good security would test only what one might expect would happen. Seldom would an automated method really test unusual cases which would break the application or cause an app to fail in an insecure manner. Since automated methods often fail to catch these out of the ordinary cases, it is imperative that organizations consider other cases that arise by using creative thinking techniques. Creative thinking can often help determine what may cause an application to fail and how to help avoid or solve any problems in advance.

Using UpGuard you will be assured that your teams will be able to define, share, and run the correct configuration tests to ensure the quality to meet your company's goals. Using the correct configuration testing can virtually close the gap on future security risk costs, by addressing them before there is a problem. You can speed up time for releasing your products without sacrificing quality or performance by using configuration testing and implementing continuous integration as part of your teams release management strategy

WHAT'S THE DEAL WITH SECURITY AND DEVOPS?

Topics: configuration testing

UpGuard Customers