Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Managing security and privacy within DevOps

IT Insights
A service of Microsoft IT Showcase
Managing security and privacy within
DevOps
June 2015
As Microsoft IT continues to transform across disciplines, processes, and
technologies to embrace the DevOps culture, a new engagement model for
managing security and privacy is needed to save time and money and to
create more secure software.
Executive summary
DevOps is the practice of software engineers and operations professionals working together
through the software development, production, and support lifecycle. When embracing the
DevOps culture, the software development lifecycle of many application development teams
evolves from the waterfall model to a more agile approach, which has caused security compliance
to become an industry challenge. The Microsoft IT Information Security & Risk Management
(ISRM) team is working to move security and risk management upstream by developing a process
where they get involved earlier in the software development lifecycle. The solution includes the
use of industry-leading tools for static and dynamic analysis as well as infrastructure scanning.
Challenges and benefits
The current engagement model between Microsoft IT development teams and ISRM—in other words,
the status quo—faces a number of challenges also seen in industry. These challenges include
tardiness in establishing security and privacy measures and complexity arising from the introduction
of DevOps and agile development. Developers are also writing software for diverse deployment
environments, which creates more areas for vulnerabilities. Fortunately, the new engagement model
offers a number of opportunities and solutions.
Industry challenges
Across the industry, development teams often wait until too late in the software development process
to engage with security experts to incorporate security and privacy measures. It should be obvious
that as the release date approaches, it is too late to do a security and privacy assessment—but to
many teams, this fact is not obvious. The result is considerable expense and time spent fixing
vulnerabilities.
Today’s developers also rely on increasingly diverse hardware and software form factors, such as
mobile phones and tablets, which in turn create a dependence on distributed architecture and,
consequently, more areas for security and privacy vulnerability.
Software development in industry has also moved to the adoption of DevOps—collaboration between
software engineers and operations—which results in multiple releases in a shorter time using agile
Article
2 | IT Insights: Managing security and privacy within DevOps
processes. Traditional security and privacy review processes can hold up these faster release cycles
and potentially delay launches, proving that a new security engagement model is needed in the agile
world of DevOps.
Benefits of the new engagement model
The benefits of the new engagement model are straightforward:

Improving end-to-end security coverage by strategically planning, implementing, and deploying
security processes.

Deploying faster to production, saving time without compromising security or privacy.

Saving time and money by fixing security and privacy issues during the development process.

Positioning ISRM to support application teams operating in DevOps.

Enabling development teams to independently execute security and privacy testing activities.

Moving security and risk management upstream, allowing security teams to engage early.
Defining the new engagement model
In both the waterfall and agile development processes, software development occurs in phases.
Currently, at Microsoft and throughout the software industry, security engagement requests tend to
occur around the test/build phase. Because of the timing, security and privacy assessment often
causes a bottleneck. The optimal time to engage a security organization such as ISRM is actually
during or before the project begins. That is the purpose of the new engagement model, shown in
Figure 1.
Figure 1. The new engagement model between ISRM and the application team
When embracing the new culture of DevOps, organizations must change how they look at integrating
security and privacy into the development process. In the past, requiring each software release to
follow the Security Development Lifecycle (SDL) made sense, as applications only had annual or
bi-annual release cycles. With more frequent releases using the agile model, a more balanced
approach to managing security and privacy is needed to maintain the agility of engineering teams.
 www.microsoft.com/ITShowcase
3 | IT Insights: Managing security and privacy within DevOps
The two basic principles of the new engagement model are to:

Integrate security and privacy in the early phases of the project, and

Automate detection of vulnerabilities in the later phases as much as possible.
Strategic phase
The strategic phase of the new engagement model consists of three software development
activities—inception, planning, and design. ISRM engages the development team from the inception
phase of the project onward. The security team works with the application team to address strategic
security and privacy controls proactively, including authentication, authorization, privacy, and so on.
This phase occurs on a quarterly cadence.
During the strategic phase, ISRM supports the application team with the following activities:
Training
ISRM hosts technical training sessions to teach the application-development team security and
privacy requirements, security guidance for emerging technologies, and of industry security incidents.
They also ensure that the development team understands how to operate the industry standard tools
used during the tactical phase of the model.
RoB participation
ISRM participates in Rhythm of the Business meetings to learn the core business processes and to
understand the application requirements of the business. These meetings are a Microsoft initiative
designed to improve efficiency, communication, and performance across business groups worldwide.
This is one of the key factors where ISRM is moving security and risk management upstream by fully
understanding the operations of the business.
Integrate requirements
ISRM integrates security and privacy requirements with the business application requirements to
ensure security. This is another key area where ISRM is moving security and risk management
upstream by helping business stakeholders to understand the risk factors that correspond to their
application requirements.
Define self-attestation activities
ISRM works to help verify that the application development team is capable of self-attestation—
confirming that their software development methodology is secure—and helps them design a custom
set of activities that will enable them to self-attest in the future. It is important to note that more
scrutiny needs to be in place for any application that must comply with regulations such as the
Sarbanes-Oxley Act (commonly referred to as SOX compliance).
Threat modeling
ISRM explores real-life scenarios with the application team to ensure that the application stands up to
security and privacy requirements. The application team responds to the threat modeling exercise
output by integrating any recommended countermeasures.
At the end of the strategic phase, if all goes well, ISRM will sign off on the application and enable the
team to move to the tactical phase. There they can begin their agile sprints and become trusted over
time.
 www.microsoft.com/ITShowcase
4 | IT Insights: Managing security and privacy within DevOps
Tactical phase
The tactical phase of the new engagement model consists of three activities—define, develop and
verify, and deploy. This phase is untrusted by default. By incorporating security and privacy into agile
development, the application teams become trusted over time based on their compliance with
security activities. The development teams earn trust by using the tools listed below and through the
pre-defined self-attestation activities from the strategic phase, which, in turn, show evidence of
reduced security vulnerabilities over time. The teams also address a number of tactical security
controls related to application code such as input validation, output encoding, and data handling.
Configuration management vulnerabilities and infrastructure security hygiene are also addressed at
this stage.
To truly embrace DevOps and empower the engineering community through automation, ISRM is
arming the application teams with the most effective tools to help identify and remediate security
issues in the application during development. The development teams use the following tools
throughout each agile sprint:
SAST tool
The static application security testing (SAST) tool is a tool for industry-leading white box testing that
allows for automated code scanning during every build. With SAST, ISRM can view the results
centrally, helping to fix problems and deploy the product. Please refer to Critical Capabilities for
Application Security Testing in the reference section for more information.
DAST tool
The dynamic application security testing (DAST) tool is a tool for black box testing, which allows for
automated penetration tests for every build. ISRM can also view the results of DAST black box testing
centrally. ISRM enables a user-story-based, macro-defined security testing approach for engineers to
create simple security testing macros aligned to their user stories. With this approach, the DAST tool
helps uncover potential security issues in the application runtime. Please refer to Critical Capabilities
for Application Security Testing in the reference section for more information.
Infrastructure scanning tool
ISRM uses a configuration compliance tool for host security to scan the production environment
continuously. The application teams are required to ensure their production environment continues to
remain patched and that any discovered vulnerabilities are resolved.
The continued Microsoft IT investment into security and privacy is driven by the need to move
security and risk management upstream in the DevOps engineering process. With the SAST and DAST
toolsets, ISRM has the ability to help surface security issues within the development process. With the
infrastructure-scanning tool, measuring compliance with a secure configuration baseline is easily
visible to the engineering teams.
Conclusion
As development teams in Microsoft IT embrace the DevOps culture and become more agile, their
release cycles continue to shorten. ISRM is removing the bottleneck associated with security and
privacy reviews by moving security and risk management upstream. The team is addressing the
industry challenges that arise when migrating from the traditional waterfall lifecycle to an agile
development process. By engaging with the development team at the inception phase of the project
and by automating the repetitive security compliance activities of later stages, ISRM streamlines the
process for the development teams, which in turn saves time and money and improves security and
privacy for internal applications.
 www.microsoft.com/ITShowcase
5 | IT Insights: Managing security and privacy within DevOps
Figure 2. Leading the way with security and privacy compliance in DevOps
References
Magic Quadrant for Application Security Testing
https://www.gartner.com/doc/2786417?ref=shareSummary (Subscription Required)
The Impact of DevOps and Web-Scale IT on Application Development
https://www.gartner.com/doc/2696022/impact-devops-webscale-it-application (Subscription Required)
Predicts 2015: Application Development
https://www.gartner.com/doc/2916817?ref=shareSummary (Subscription Required)
Report Highlight for Market Trends: DevOps — Not a Market, but a Tool-Centric Philosophy That
Supports a Continuous Delivery Value Chain
https://www.gartner.com/doc/2988619?ref=shareSummary (Subscription Required)
Benefits of the SDL:
http://www.microsoft.com/en-us/SDL/about/benefits.aspx
Related content
The State of DevOps: Accelerating Adoption:
http://devops.com/2014/01/23/the-state-of-devops-accelerating-adoption/
2014 State of DevOps Report:
https://puppetlabs.com/sites/default/files/2014-state-of-devops-report.pdf
Managing security and privacy within DevOps (video):
http://www.microsoft.com/itshowcase/Article/Video/561
 www.microsoft.com/ITShowcase
6 | IT Insights: Managing security and privacy within DevOps
For more information
For more information about Microsoft products or services, call the Microsoft Sales Information
Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750.
Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access
information via the World Wide Web, go to:
www.microsoft.com
www.microsoft.com/ITShowcase
© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The
names of actual companies and products mentioned herein may be the trademarks of their respective
owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS OR IMPLIED, IN THIS SUMMARY.
 www.microsoft.com/ITShowcase
Related documents
MNL-Agile2013-Recap
MNL-Agile2013-Recap
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Chapter 1Computer Concept
Chapter 1Computer Concept
A Standard Grant Management Process
A Standard Grant Management Process
Download