Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

ChatOps is Your Bridge to a True DevSecOps Environment

The way we build, provision, maintain and secure apps continues to evolve. As agile development practices put pressure on operations, organizations move to DevOps where both functions are synchronized. This in turn puts pressure on the app security organization, and so we see more companies today adopting a DevSecOps model

The way we build, provision, maintain and secure apps continues to evolve. As agile development practices put pressure on operations, organizations move to DevOps where both functions are synchronized. This in turn puts pressure on the app security organization, and so we see more companies today adopting a DevSecOps model

At the same time, the complexity of a typical environment has increased dramatically in recent years. Your app runs on a virtual server hosted in AWS. Your CI/CD pipeline sits in another public cloud environment. You have a managed WAF. You’re using another software as-a-service product owned by another vendor. 

And then there are various internal teams that weigh in on any app or web development project—IT, app security, content, developers, project managers—plus the fact that each member of each team, both internal and external, is probably supporting multiple releases and business units.

When you’re trying to identify a problem among all of the possible permutations across all of those distributed entities, you face exponential complexity. So how do you immediately triage to resolve the problems that inevitably come up? 

Sometimes called conversation-driven collaboration or conversation-driven DevOps, ChatOps is growing out of this need for a range of stakeholders to share data and keep all members of your extended, cross-functional team on the same page. It’s about anticipating that challenges will arise and building that fact into the broader development process. 

ChatOps uses chat clients, chat bots and real-time communication tools to facilitate DevOps, and increasingly DevSecOps. In the ChatOps environment, the chat client serves as the primary communications channel across all stakeholders, providing visibility into the right information at the right time to swiftly make decisions and resolve issues, wherever those issues may be. 

Building this environment requires a tool, like Slack or Microsoft Teams, with sophisticated channels and app plug ins. The tools already used by developers and operations managers are integrated into the environment to improve ticket tracking and response times. 

Bringing all communication into the same environment provides a clean way to incorporate the level of insights needed from the application, the network, security, or from any other infrastructure, such as the DNS and the TLS. 

The great thing about ChatOps is that it elevates those tools well beyond simple messaging. It involves integrating all of your applications that support the dev process to the extent that you have full visibility across the lifecycle. You can plug into your dev toolchain, your sprint tool, your whole ecosystem of applications. 

In a chat-based productivity tool, all of these apps are integrated. You can see your sprints. You can look at your teams. With everything in one place, now the team can come together and triage. If you want to spin up a new WAF policy, you can do so right from the tool. If you know somethings’ going wrong, you can sit in that channel and pull the most recent logs and alerts. 

If it turns out you do have an app security incident, the security team can work in its own channel to resolve it, leaving the other groups to focus on being productive. The point is bringing the right teams in to identify an issue as quickly as possible, and then assigning the right group to fix it.  

Taking this concept to the next level, ChatOps spaces can be automated and infused with AI through chat bots and other means. The chat bot is designed to be an executive assistant. It’s programmed to identify common patterns and automate a response, spinning up a new channel in the collaboration tool and pulling in the appropriate people based on the type and location of the problem it’s identified.   

Major providers like Microsoft, Google and Amazon offer basic chat bots as part of their AI platforms. More sophisticated customers can download those and integrate them into their collaboration tools, programming them to spot their most common events and perform these initial functions within the ChatOps space. 

Most organizations moving to a ChatOps environment aren’t quite to the chat bot stage yet though. Training the bot to spot your top 10 or 15 most common issues is a development hurdle, requiring the organization to commit part of its own development cycle to building in that automation. 

At some point in time, this combination of ChatOps and increasingly sophisticated AI are going to come into their own. There’s just no other way to get around the complexity of involving so many teams and companies in the development process. 

In our own heterogenous environment at F5, my team has gone through a TLS certificate bringing us down, an advertising asset cache not working appropriately, a misconfigured security device slowing down the web site, and even bad third-party code impacting performance. None of these were security breaches, and just identifying the problems among multiple, globally distributed teams took hours—time that could have been spent advancing the application in other ways. 

Imagine an environment where problem resolution goes from eight hours to seven hours, or even minutes in many cases. In this way ChatOps offers a bridge to a fully realized vision for DevSecOps, offering a much quicker path to resolution for both security and non-security issues.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Application security startup ArmorCode today announced that it has received $8 million in additional seed funding, which brings the total raised by the company...