After being a podcast listener for years and years (having new things to stuff into my ears is the only way that chores around the house get done) I was finally a podcast participant. The good people at Electric Cloud coordinate a panel discussion about continuous delivery/deployment and they invited me. Me? Can you believe it? They probably thought they were inviting a different Martin. Like the time I showed up to lead a unit testing seminar and someone thought they were going to get Martin Fowler.
Poor guy. I can only imagine the depth of his disappointment.
Anyway, here’s the discussion about security concerns and devOps.
Afterwards, I thought it would be useful to share the tools/techniques that I’m currently using and why. Many of these things are free or open source, and a bunch of them have perfectly good alternatives.
External Auditor by a real-life Security Expert
We do a security audit (including penetration testing) through Applause yearly. If we could afford to do it more often, I totally would. Their security expert not only found potential vulnerabilities, but he also took the time to explain the nature and severity of each problem, and gave us pointers on how to address them. We distributed the tasks for fixing them throughout the team as a way to build this sort of security knowledge into the team broadly. We will be less likely to accidentally re-introduce the same vulnerabilities that we didn’t understand before than if we had to designate some poor sap as “the security guy”.
“Continuous Everything” tools for automation around build/test/deploy/monitor
While not strictly security tools, being able to ship incremental improvements to code in a safe and repeatable way is key. We’ve built our infrastructure and process in such a way that we can do fully automated zero-downtime production deployments. It sounds like a luxury for a small team, but yesterday’s luxuries become today’s necessities.
Dependency and Release Management Tools
- Sonatype Nexus
- Our own DIY version stamping, where you can ask any service on any environment exactly what build # it’s running. When you release to many standalone services frequently, you need to know exactly what code is running where.
Static Analysis Tools
Automate the things you can, create a cadence for the things you can’t. There’s actually a LOT of code inspection that you can currently automate. My goal is to get to zero errors/warnings/anything, but until then, we’ll just ratchet the numbers down bit by bit.
- IntelliJ Code Coverage (via TeamCity)
- IntelliJ Inspections (via TeamCity)
- TeamCity Duplicate Code Detection
- Gradle DependencyUpdate (for finding newer versions of the dependencies you’re using)
- Gradle DepenedencyCheck (for checking dependencies against known vulnerabilities)
Monitoring / Intrusion Detection
Our hosting provider provides network level firewall, monitoring, intrusion detection, and DDOS protection in a way that’s pretty much transparent to me, as a developer. In the spirit of “trust but verify” we have tests that (for example) you can’t connect on ports you shouldn’t be able to connect to.
We also install OSSEC on all of our systems, so if something fishy shows up in the logs, we’ll be notified right away.