Why log management is essential to successful implementation of DevSecOps [Q&A]
DevSecOps, the integration of security into DevOps processes, is in increasingly common use. Logging and log management play a critical role in helping to put DevSecOps principles into practice by ensuring that developers, IT operations staff, and security teams have the visibility and communication pipelines they need to prioritize security at all stages of the DevOps delivery cycle.
We spoke to Ryan Staatz, systems architect and head of DevOps at LogDNA to discuss how log management fits in the toolchain of technology and practices that create a successful DevSecOps initiative.
BN: What does DevSecOps mean to you?
RS: I like to start by breaking down the word. To me it represents the manner development, security, and operations work together to create a functional process that benefits each of those teams equally. To some, DevSecOps is simply a generic term for an overall methodology. I feel strongly that a successful DevSecOps initiative is outlined by an IT organization doing its best to bridge all three critical areas in order to improve its security, operations, and development practices installed together. It comes down to communication and process and I certainly encounter DevSecOps everyday.
BN: What does it take for DevSecOps to be successful?
RS: I'm not sure I can give you an exact formula, but there are certainly some good practices that I recommend you follow. Communication between the three IT groups is critical and can be challenging when dealing with multiple disparate teams that all have their own set goals and initiatives. Insight across the different teams into their present projects, KPIs and goals are very important for these teams to better understand each other. For instance, having a discussion early on about how security can benefit both operations and development is critical for all three teams to both understand and agree upon. This common ground and buying into each other's goals is a good starting point to building a process that works for everyone.
I know that security can often be viewed as a huge hurdle for many in IT who do not work with it every day, but in actuality, security is similar to preventive health care in that it is a lot easier to prevent something from happening than it is to clean up or treat an ailment after the fact. Spending the time at the outset to establish a cadence process and a line of communications is critical.
BN: How does logging help communication between IT teams?
RS: A log as a message or an event from an application can be valuable to many different teams for many different reasons. The same message could offer insight to development that there is an error in your application. For security, it could be that somebody logged on to the network who is not a user and from out of the secure network. Operations can use a message and realize the logs stopped here, but looking into another log trail, it shows something is crashing or it looks like a server hosting these applications died or whatever it might be. Logs can be powerful in hunting those issues down.
Centralized logs also help drive that same communication we talked about for what makes a successful DevSecOps foundation. The ability for everyone to view logs in the same place means that each person on each team can point out things to other people on other teams to better understand the overall health of the environment. They may not necessarily have the entire context to make sense of every single log statement from every single team, but you at least use it as a shared repository of evidence of what's going on. Having that source of truth can be very powerful.
BN: How does log management increase visibility into security?
RS: Security is a huge undertaking just on its own. When it comes to structuring data there are a lot of areas that are going to need to be categorized. With SIEM tools for instance, you can think of logging as a precursor to them. And once you have that data categorized in a manner that you can understand and run aggregates and analysis on, you can quickly see from the logs it looks like this component is affected and this type of message is an authorized login, for example. You can really begin diving into the specifics of what's going on in your system.
Also, because you might be pulling logs from different places, there are different parts of the application lifecycle to gain visibility into. For example, depending on the continuous integration tool you have set up in your organization, you can track logs from those systems and -- once it's deployed -- receive valuable insight for deploying and running your applications.
And this goes all the way down to the application level of when it is running in production, to better understand an event and decide if it is unusual and should be investigated. The more structure you can put into your logs, the more value you can drive, especially for long-term aggregation and detection of unusual behaviors.
BN: If an IT team is considering a DevSecOps initiative, where is a good place to start?
RS: There are many factors that play into a successful DevSecOps initiative, but deciding on overall goals, how the work culture will support the initiative and receiving strong buy-in from everyone in the IT organization is a good place to start.
Tactically, having basic proactive and reactive approaches in place is a great start. Even setting up automated codebase scans can quickly catch major issues and notify the appropriate teams can be super helpful. This benefits multiple parties -- security, app developers, operations -- to know their dependency might have a problem.
And security is critical. In my experience, security is often viewed like insurance. Everyone wants it but nobody wants to pay for it, nor spend the time it takes to learn and apply it to their organization. Thinking about security from a preventative approach, any low effort, high impact deliverable that you can receive as an early stage company is huge. It will lay the foundation later on for better practices, faster to production delivery times, and even detection of important issues before they happen in production.