DevOps approaches have become a fixture in most businesses. But integration with security operations is lagging behind.
In February, for example, we surveyed 100 senior IT decision-makers with a series of questions around DevOps, and an overwhelming majority (88%) said their businesses had either adopted this approach or plan to do so in the next couple of years.
Reading Gene Kim in his trailblazing 2012 blog, Why We Need DevOps Now, there are many reasons why they should. According to the co-author of The Phoenix Project:
“By putting DevOps patterns into practice, organizations like Etsy, Netflix, Facebook, Amazon, Twitter and Google are achieving levels of performance that were unthinkable even five years ago: tens or even hundreds of code deploys per day, while delivering world-class stability, reliability and security.”
So far so good, but his claim that DevOps inevitably leads to improved security made us think twice. In fact, when we asked our survey audience about this fewer than one-in-five (19%) said they were fully confident in their ability to integrate security (commonly known as DevSecOps) into the process.
When it comes to swing votes, 88% falling to 19% is a flashing warning sign. Moving fast with DevOps might be a real boost for business agility, but introducing potential data security risks in the process cannot be ignored.
How have we got to this point?
Traditionally, many businesses have viewed security as something that is administered separately to the development lifecycle, rather than a discipline that should be fully incorporated from end-to-end.
The challenge is often one of time. DevOps teams often want to move faster than security teams are used to with legacy processes. For example, DevOps teams can’t wait the equivalent weeks it would usually take to have infrastructure provisioned and firewall rules updated. Yet, that is still the status quo within most organisations.
A separate entity
Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow the processes down and reduce efficiency. This leads to either a compromise in agility – which is so central to any DevOps philosophy – or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle.
To remedy this issue and help the IT department to effectively transition to a DevSecOps approach, training of staff throughout the IT department is essential. As is the adoption of new approaches to security testing that allows for continuous monitoring and analytics throughout the DevOps lifecycle (whether this is planning, coding, pre-production, or even decommissioning).
Security baked in
While the benefits of DevSecOps are clear, actually making it a reality is a complex process that can’t be completed overnight. Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort. What's more, the latest approaches to security testing, such as continuous security testing, need to be understood to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for.
This guidance should be tailored to everyone involved in the DevSecOps process. Development teams need to be trained in order to heighten their security awareness and figure out how they can work with their security-focused colleagues. Conversely, security teams will no-doubt benefit from learning how their role fits within the wider DevOps ecosystem so that they have more of an appreciation of their colleagues’ ongoing responsibilities. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.
Restoring the balance
As we have seen, the fact that a fifth of organisations doubt their capability to deliver DevSecOps makes it clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness.
It is true that agility lies at the heart of any modern organisation wanting to compete on a global stage. DevOps teams understandably don’t want to forfeit this hard-fought agility. However, with cybersecurity threats and regulations on the rise organisations need to strike the right balance between agility and security.
- DevOps has rapidly become the de facto way of working for the vast majority of IT departments.
- But fewer than one-in-five are fully confident in their ability to integrate security into the process.
- To ensure they are not opening themselves up to attack, businesses need to embed security best practice into the entire DevOps lifecycle.
- New approaches such as continuous security testing, means development cycles can move fast and stay secure.