DevOps + Security = DevSecOps

Being the most innovative and successful cloud monitoring company on the market, developing new features to production every day, it’s not only crucial to deliver the best user experience, performance and high reliability, but also guarantee the highest SECURITY for our customers.

To not let security measures slow down our agile and innovative value creation cycle and not introduce any roadblocks to our “60 minute from code to production” pipeline, we had to build security into the heart of the Dynatrace DevOps culture.

Making EVERYONE responsible for security, building a team of security experts with the focus on secure software and product development, fully automating and monitoring cloud deployments and choosing the right set of tools, formed the key ingredients for this change process.

The 4 most important secure development disciplines that are in place are:

• Code Reviews
• Penetration Testing
• Static Code Analysis
• OpenSource risk management

Code Reviews guarantee a high level of code quality but also a high level of security risk reduction, by having security experts review security critical code. By using git version control system and Atlassian’s Bitbucket Server with a pull request workflow, code reviews must be conducted for every change, before being able to merge into the main code line (master). Code reviews are great for knowledge sharing and making sure, secure coding guidelines are obeyed by every developer.

With manual pen tests, mostly done with Burp Suite and the Kali Linux toolset, automated pen tests, yearly conducted pen tests by external security firms and internal + external bug bounty programs we cover the full spectrum of penetration testing.

For static code analysis SonarQube with the additional FindSecurityBugs plugin is used to discover potential security bugs in the code immediately.

Black Duck Hub was the ideal solution for managing the list of open source components that are used in our products and get immediate alerts about new security vulnerabilities in open source software.

All these tools and disciplines are tightly integrated into our fully automated continuous delivery pipeline. If any stage of that pipeline breaks, the Dynatrace UFO, which “flies” around in the R&D labs, makes sure that everybody is aware of the situation and helps to fix the problem.

So what’s next?

We are constantly evaluating new tools and frameworks for automating manual pen test procedures, bring static code analysis right into the pull request workflow and use Dynatrace itself to stay secure.