DevSecOps and the changing view of security for DevOps
Organizations shouldn't keep DevOps and security siloed. Bring them together as DevSecOps, ensuring security is built into applications earlier and with less of a struggle.
Software developers and cybersecurity teams can sometimes, like cops and firefighters, forget that they're on the same side.
DevOps, a term that combines software development (Dev) and information technology operations (Ops), is focused on getting software developed and into production as quickly as possible. DevOps teams value automation, consistency, constant feedback, cross-functional cooperation and continuous delivery.
By contrast, security teams are focused on identifying and eliminating vulnerabilities, adhering to regulations and compliance mandates, and trying to educate people about security best practices. From the point of view of the DevOps team, security teams can seem like mirthless hall monitors trying to slow everything down to a crawl.
It can seem, on the surface, as if DevOps and security are working at cross-purposes, with one side's priorities having to win out over the other, creating a misconception of a zero-sum game.
But that's not the reality, especially today. Traditionally, business architectures were designed to be siloed -- with a development team, a security team, a legal team, a compliance team and others each doing their parts separately and achieving their own efficiencies. But given how important software is today, touching so many pieces of an organization, individual teams can no longer make unilateral decisions about software development. Other organizational units must be involved. And that applies especially to security. An either-or, zero-sum attitude between DevOps and security won't work for protecting systems, applications and data. Both must be undertaken together to make development both fast and secure.
Changing those old mindsets won't happen overnight, so a good start is for organizations to choose champions from each team to work together, giving them a mandate to collaborate. A cooperative environment at the top will likely filter down through the organization. Another effective step is to ingrain security metrics into the DevOps process, seamlessly integrating them into the feedback loop, a tactic employed in the DevSecOps methodology, which is the term used when developers, security and operations work together.
4 areas to combine DevOps and security
As part of bringing security and DevOps together, they will likely need to agree on a common glossary, which could help close the gap between their differing viewpoints. For example, here are four areas where they might need to come to an agreement.
Risk. For developers, risk tends to refer to software bugs that keep an application from working optimally. To security pros, it means vulnerabilities or a failure to adhere to a certain standard. The two teams need to incorporate both meanings into a common understanding.
Monitoring. Monitoring in DevOps focuses on optimizing performance and automating the development lifecycle. In the security world, monitoring means collecting and analyzing information to detect potential software vulnerabilities, anomalous behavior, unauthorized system changes and other red flags. In combining DevOps and security, monitoring and remediation of security flaws take place throughout the development lifecycle, with security tools tightly integrated into the process from the beginning. As with DevOps, automation is essential to effective monitoring, for example, by employing code analysis tools during the development process, running automated attacks against software as it's being developed and continually testing the pipeline for weaknesses.
Metrics. This is another term that can make it seem like DevOps and security teams are speaking different languages. In DevOps, the term metrics applies to attributes such as deployment time and frequency, availability, error rates, and application performance.
In security, metrics has a different definition. It measures compliance with regulations and a program's stated goals, how many known vulnerabilities can be eliminated, the time between the release of a patch and its implementation, whether web servers have been properly configured, and the rate of encryption use. Introducing security into the DevOps process means that metrics must apply to both sets of criteria from that point forward.
Outcomes. A collaborative view of DevOps and security, including factors such as risk, monitoring and metrics, will lead to a shared view of outcomes. In addition to the speed of development and delivery, security and compliance will need to be included as part of the desired outcome.
Combining DevOps and security just makes sense
DevOps, by definition, already involves a lot of collaboration from different teams. Bringing security into the fold at the beginning of development will help produce reliable software quickly, but also securely. DevOps teams can't do it on their own; they need to involve security pros in the process. Some forward-looking teams are doing that now, incorporating compliance and regulations into development from the start.
Considering the interconnecting nature of systems and their impact on every aspect of an organization, that approach needs to become standard industry practice. Software development isn't just about having good coding practices anymore. It's about having a business mindset where development and security are completely intertwined.
About the author
Altaz Valani is the research director at Security Compass, responsible for managing the overall research vision and team. Prior to joining Security Compass, Altaz was a senior research director at Info-Tech Research Group providing CIOs, IT managers, directors and senior managers with trusted advice and analysis around application development -- including Agile, cloud, mobile and the overall SDLC. Other past roles include senior manager at KPMG and various positions where he worked side by side with senior-level stakeholders to drive business value through software development.
