Cyber & Application Security: The 6th Key to Developing a DevOps Culture

Welcome once again to the vRad Technology Quest series – let's dive in.

Cyber Security is a hot topic. The frequency of notable events – ranging from the compromise of large corporations to possible state-sponsored security breaches – is increasing.

 Security has become particularly important in health care: research suggests that patient information is now more valuable than credit card numbers for fraud and cyber security is the frontline defense in protecting health care companies.

vRad’s proactive approach to cyber security falls into multiple buckets – user training, network security, email security, application security and many more.

For my part, I’ll share some specifics about our application security and its integral role in our overall approach to developing software. I break Engineering's approach to security into four tenets:

1. Engineer training;
2. Software quality;
3. Production security;
4. And penetration testing.

Let’s take a look!

#1 Security Training for Engineers

First and foremost, we make sure our team of engineers has the tools and training they need to stay up-to-date on best practices.

One core aspect of this training is security, with a focus on web application security. vRad places a high value on enabling our engineers by providing the training they need to be successful; the more we can educate ourselves about potential flaws and common problems, the better we can find and avoid pitfalls in our code base. We often refer back to the Open Web Application Security Project (OWASP) Top 10.

Our security training comes in a wide range of mediums including internal seminars, usage of our training platform Pluralsight, and white papers. Greg, our security manager at vRad, is a huge help in delivering corporate-wide training as well as engineer-targeted training to help us stay on track. We also focus on finding and sharing content among engineers and holding lunch-and-learn sessions.

#2 Software Quality is Software Security

Software Quality is the largest component of our security efforts; we believe that quality and security go hand-in-hand and we work hard to incorporate quality every step of the way, from idea to production. Some of this may seem pretty obvious, yet must not be overlooked:

1. We ensure that our code is secured and only accessible by vRad Engineers;
2. We secure passwords for environments and avoid embedding them within the code base;
3. We review every code change to make sure multiple engineers get a chance to see all code changes;
4. And we make sure that all of our code changes can be tracked back to test cases that get run.

We tie security and quality together tightly – our quality processes are security practices, too. This helps to ensure that we are always thinking about security, that multiple people are asking the question “is this secure?” and that we’re adding testing that validates security measures we put in place.

#3 Production Security & Change Management

Our production environments are monitored closely from multiple angles - one of which is security. I mentioned above that reviewing and testing code base enhances our quality process. One of the ways we ensure this is through internal auditing – much of which is automated.

In a similar fashion, we monitor all changes to production. Each alteration to production applications is carefully monitored and tracked. Engineers review each change and ensure that it was expected – or rather, it tracks back to our change management tool – and that the person who made the change was authorized to be making those changes.

We also monitor the groups who have access to make changes. vRad operates 24x7x365 and emergencies happen; engineers get called in and need special permissions in the environment to perform necessary adjustments. We are careful to track and audit these occurrences on a routine basis to ensure that only the appropriate people have permission. We strive for a fine balance between enabling people to keep the platform operating smoothly and avoiding unnecessary risk of having too many folks with too much access.

#4 Penetration Testing

I saved the best topic for last.

Penetration Testing is a simulated attack on a system to determine if security vulnerabilities are present.

vRad performs multiple types of penetration tests on our systems.

First, we have external organizations perform penetration testing – we provide them with a basic understanding of our applications and a development environment and let them try to break into our systems. This provides a great objective perspective of our application security.

Second, we perform internal penetration testing. Our security models tend to be layered; we don’t expect anyone to be able to get around the first layer, but if they do, we have secondary security measures in place. Because of this, we conduct additional “white box” testing – we design tests and setup scenarios in which the first layer of security has been compromised to validate the secondary measures are successful. A significant number of these tests are automated (see my earlier post on Test Automation (4)), so they run at least nightly and often more frequently on our code base.

These four focus areas help us secure our applications and are instrumental in keeping our patients’ and clients’ information safe.

The Penultimate Post

Thanks for joining me on the second to last leg of our technology quest. I hope you join us for our final topic on maintenance and release windows (#7) – the ultimate aspect of our ability to deliver patient care 24x7x365. And remember, you can always catch up on any DevOps Keys you may have missed in the vRad Technology Quest Log.

Until Next Time,

Brian (Bobby) Baker

About the Author