My Software Security Toolkit

After being a podcast listener for years and years (having new things to stuff into my ears is the only way that chores around the house get done) I was finally a podcast participant. The good people at Electric Cloud coordinate a panel discussion about continuous delivery/deployment and they invited me. Me? Can you believe it?  They probably thought they were inviting a different Martin. Like the time I showed up to lead a unit testing seminar and someone thought they were going to get Martin Fowler.

Poor guy.  I can only imagine the depth of his disappointment.

Anyway, here’s the discussion about security concerns and devOps.

Afterwards, I thought it would be useful to share the tools/techniques that I’m currently using and why. Many of these things are free or open source, and a bunch of them have perfectly good alternatives.

 

External Auditor by a real-life Security Expert

We do a security audit (including penetration testing) through Applause yearly. If we could afford to do it more often, I totally would. Their security expert not only found potential vulnerabilities, but he also took the time to explain the nature and severity of each problem, and gave us pointers on how to address them.  We distributed the tasks for fixing them throughout the team as a way to build this sort of security knowledge into the team broadly. We will be less likely to accidentally re-introduce the same vulnerabilities that we didn’t understand before than if we had to designate some poor sap as “the security guy”.

 

“Continuous Everything” tools for automation around build/test/deploy/monitor

While not strictly security tools, being able to ship incremental improvements to code in a safe and repeatable way is key.  We’ve built our infrastructure and process in such a way that we can do fully automated zero-downtime production deployments. It sounds like a luxury for a small team, but yesterday’s luxuries become today’s necessities.

Dependency and Release Management Tools

  • Gradle
  • Sonatype Nexus
  • Our own DIY version stamping, where you can ask any service on any environment exactly what build # it’s running. When you release to many standalone services frequently, you need to know exactly what code is running where.

Static Analysis Tools

Automate the things you can, create a cadence for the things you can’t. There’s actually a LOT of code inspection that you can currently automate.  My goal is to get to zero errors/warnings/anything, but until then, we’ll just ratchet the numbers down bit by bit.

 

Monitoring / Intrusion Detection

Our hosting provider provides network level firewall, monitoring, intrusion detection, and DDOS protection in a way that’s pretty much transparent to me, as a developer. In the spirit of “trust but verify” we have tests that (for example) you can’t connect on ports you shouldn’t be able to connect to.

We also install OSSEC on all of our systems, so if something fishy shows up in the logs, we’ll be notified right away.

 

 

One thought on “My Software Security Toolkit

  1. […] vanished. Consider these key takeaways from the recent DevOps Enterprise Summit in London, and the security toolkit considerations the practice fosters. While the hype around DevOps will definitely change […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: