Security Experts:

ChatOps is Your Bridge to a True DevSecOps Environment

The way we build, provision, maintain and secure apps continues to evolve. As agile development practices put pressure on operations, organizations move to DevOps where both functions are synchronized. This in turn puts pressure on the app security organization, and so we see more companies today adopting a DevSecOps model

At the same time, the complexity of a typical environment has increased dramatically in recent years. Your app runs on a virtual server hosted in AWS. Your CI/CD pipeline sits in another public cloud environment. You have a managed WAF. You’re using another software as-a-service product owned by another vendor. 

And then there are various internal teams that weigh in on any app or web development project—IT, app security, content, developers, project managers—plus the fact that each member of each team, both internal and external, is probably supporting multiple releases and business units.

When you’re trying to identify a problem among all of the possible permutations across all of those distributed entities, you face exponential complexity. So how do you immediately triage to resolve the problems that inevitably come up? 

Sometimes called conversation-driven collaboration or conversation-driven DevOps, ChatOps is growing out of this need for a range of stakeholders to share data and keep all members of your extended, cross-functional team on the same page. It’s about anticipating that challenges will arise and building that fact into the broader development process. 

ChatOps uses chat clients, chat bots and real-time communication tools to facilitate DevOps, and increasingly DevSecOps. In the ChatOps environment, the chat client serves as the primary communications channel across all stakeholders, providing visibility into the right information at the right time to swiftly make decisions and resolve issues, wherever those issues may be. 

Building this environment requires a tool, like Slack or Microsoft Teams, with sophisticated channels and app plug ins. The tools already used by developers and operations managers are integrated into the environment to improve ticket tracking and response times. 

Bringing all communication into the same environment provides a clean way to incorporate the level of insights needed from the application, the network, security, or from any other infrastructure, such as the DNS and the TLS. 

The great thing about ChatOps is that it elevates those tools well beyond simple messaging. It involves integrating all of your applications that support the dev process to the extent that you have full visibility across the lifecycle. You can plug into your dev toolchain, your sprint tool, your whole ecosystem of applications. 

In a chat-based productivity tool, all of these apps are integrated. You can see your sprints. You can look at your teams. With everything in one place, now the team can come together and triage. If you want to spin up a new WAF policy, you can do so right from the tool. If you know somethings’ going wrong, you can sit in that channel and pull the most recent logs and alerts. 

If it turns out you do have an app security incident, the security team can work in its own channel to resolve it, leaving the other groups to focus on being productive. The point is bringing the right teams in to identify an issue as quickly as possible, and then assigning the right group to fix it.  

Taking this concept to the next level, ChatOps spaces can be automated and infused with AI through chat bots and other means. The chat bot is designed to be an executive assistant. It’s programmed to identify common patterns and automate a response, spinning up a new channel in the collaboration tool and pulling in the appropriate people based on the type and location of the problem it’s identified.   

Major providers like Microsoft, Google and Amazon offer basic chat bots as part of their AI platforms. More sophisticated customers can download those and integrate them into their collaboration tools, programming them to spot their most common events and perform these initial functions within the ChatOps space. 

Most organizations moving to a ChatOps environment aren’t quite to the chat bot stage yet though. Training the bot to spot your top 10 or 15 most common issues is a development hurdle, requiring the organization to commit part of its own development cycle to building in that automation. 

At some point in time, this combination of ChatOps and increasingly sophisticated AI are going to come into their own. There’s just no other way to get around the complexity of involving so many teams and companies in the development process. 

In our own heterogenous environment at F5, my team has gone through a TLS certificate bringing us down, an advertising asset cache not working appropriately, a misconfigured security device slowing down the web site, and even bad third-party code impacting performance. None of these were security breaches, and just identifying the problems among multiple, globally distributed teams took hours—time that could have been spent advancing the application in other ways. 

Imagine an environment where problem resolution goes from eight hours to seven hours, or even minutes in many cases. In this way ChatOps offers a bridge to a fully realized vision for DevSecOps, offering a much quicker path to resolution for both security and non-security issues.

view counter
Preston Hogue is Sr. Director of Security Marketing at F5 Networks and serves as a worldwide security evangelist for the company. Previously, he was a Security Product Manager at F5, specializing in network security Governance, Risk, and Compliance (GRC). He joined F5 in 2010 as a Security Architect and was responsible for designing F5’s current Information Security Management System. Preston has a proven track record building out Information Security Management Systems with Security Service Oriented Architectures (SSOA), enabling enhanced integration, automation, and simplified management. Before joining F5, he was Director of information Security at social media provider Demand Media where he built out the information security team. Preston’s career began 18 years ago when he served as a security analyst performing operational security (OPSEC) audits for the U.S. Air Force. He currently holds CISSP, CISA, CISM, and CRISC security and professional certifications.