Is Security a Growth Catalyst for DevOps?

By David Mytton,

CEO & Founder of Server Density.

Published on the 20th August, 2015.

Security comes from the Latin route sēcūrus. It means free from care. Some adjectives associated with this word are untroubled, fearless, and composed.

Security provides a safe space for humans to stretch their imagination and be as creative as they can. It allows for growth.

It also allows for focus. For small companies like ours, security unfetters our potential to improve our product and serve our customers.

Good security is not an add-on, a feature or a separate effort. It is an essential building block of our work. And that should be reflected in everything we do, including our people, our infrastructure, our technologies and our product.

Let’s start with people.

The Role of People

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” Bruce Schneier.

All fourteen collisions with Google’s self driving cars were caused by human error, according to Google. The drivers involved in those accidents were all distracted. It turns out that humans are the weakest link when it comes to safe systems.

There are a number of ways we approach (and mitigate) this risk. To begin with, we try and have as many “eyes on the code” as possible.

As part of our code review and deployment process we test each other’s code and try to break it. We are a small and tightly knit team, which is great. But we don’t know it all.

To reduce the risk of blind spots and confirmation bias (we are only human!), we work with independent security consultants who inspect our product (and code) on a regular basis.

Another resource we are looking into (but haven’t leveraged yet) is the specialised skillsets of the crowd. There are some compelling platforms for bug bounty and bug reporting out there. Large companies, like Google and Tesla, and smaller ones, like LastPass and Drupal, have used this for awhile.

Now let’s turn our attention to technology, and how we can secure it.

Multi Factor Authentication

Multi Factor Authentication (MFA) requires the user to authenticate using something they physically have with them before they can log in. It’s the only way to protect against account hijacking.

We use MFA internally as much as we can. For example, we enforce Google authenticator for Gmail, Google Drive and all our Google Apps.

We also encourage all our customers to activate MFA for their Server Density account:

Encryption

Our computers are full-disk encrypted (we use Filevault, PGP Full Disk Encryption or Espionage, depending on the OS). We also encrypt some of our email communications with GnuPG, one of the tools that Edward Snowden used to protect his communications about the NSA.

Up to Date Software

We make sure we are always running the latest bug fixed versions of all installed software we use. This includes web browsers, messaging clients, OS components and the OS itself.

Web Browser

We like Google Chrome for its tight integration with Google Apps but also for its auto-update feature which keeps the browser secure.

We are not big on browser add-ons. Click-to-play is an exception as it helps us prevent browser plugin vulnerabilities (Flash and Java in particular). We also use this Chrome extension to protect against phishing on our Google accounts.

We also recommend Fluffify, our very own Chrome extension. It won’t make you any more secure, but it will keep you sane.

Passwords

The second law of thermodynamics states that entropy always increases with time. When it comes to guessing passwords however, time always increases with entropy.

Password entropy is a measurement of how unpredictable a password is.

Our passwords are at least 20 characters long. They comprise a mix of upper and lower case characters including numbers, letters and symbols. They are also unique for each system, which means if one system is compromised, others will not follow suit.

We keep offsite and easily accessible backups of all our passwords (using tools like 1Password) to allow for easy reset of all account passwords in the event of a breach.

We never share passwords. Each of us has our very own set of credentials. This helps us deal with red-flag scenarios. Like revoking employee privileges when they leave. Or auditing who accessed a particular server or database.

Least Privilege

According to the principle of least privilege, every process or user should only be able to access the resources they need. User administration is a key component of our product:

Secure Data Flows

For Server Density to work we ask our customers to install a lightweight agent on their server. All this does is collect various system metrics and constantly report back.

A deliberate restriction is that data only can only travel one way: from the client server to ours. That rules out any possibility for remote execution.

From that point everything is encrypted. In fact, encrypted post backs are the only option.

We use ports that are usually already open (HTTPS port 443) which means there is no need to configure anything new. No root access required either. And because our agent is open source, our customers have full visibility of what is running at all times.

Summary

“Amateurs hack systems, professionals hack people.” Bruce Schneier

We don’t think security is a mere feature, and it shouldn’t be treated as such. At its best, security is an essential building block of the product, the team, and everything a company does.

From sending data, provisioning access to their systems and storing internal passwords, DevOps teams should take all reasonable precautions to keep confidential data safe and available.

Having secure systems affords companies the stability and peace of mind they need to be creative, grow, and serve their customers.

What about you? What industry best practices do you follow?