While organizations continue to adopt, expand, and perfect their DevOps game, security has become an urgent issue. Malicious attacks on application layers are on the rise, and it seems like almost every day brings news of yet another data breach in an organization. Enterprises are coming to realize that while DevOps tools and processes helping them stay innovative within tight release timelines, the risks of slack security remain real, immediate, and extremely costly. This puts DevOps outfits under pressure to implement stronger and smarter security measures, and adopt a set of secure DevOps practices.
Like much of the history in software, security was a bit of an afterthought that ended up getting sandwiched in later in the process. In their haste to run faster and embrace the speed that DevOps offered to reach deployments faster, the idea of security was pushed to the side. However in light of numerous breaches in recent years, and the realization that making security an integral part of the DevOps pipeline where testing is done, we are finally starting to see its implementation into the software development industry.
Often shortened to DevSecOps, DevOps security looks to integrate security into the DevOps pipeline using the DevOps principle of testing early and often, sending feedback in shorter cycles to help catch issues at every stage of the pipeline.
On a very practical level, the earlier that one is able to detect a vulnerability in their code, then the easier and cheaper it is to fix. This is because the more baked-in a vulnerability is, the more code is written on top of it, meaning that it becomes a lot harder to remediate it later since it will impact more parts of the product which will have to be reworked.
Despite the recent acceptance that secure DevOps is the right way forward, this was not always the case.
Secure DevOps is a relatively new approach, and up until recently, not many people thought it was a good fit. Even security experts point out that incorporating security people into the DevOps cycle can be challenging.
Security expert Michele Chubirka says in her blog that, “While many security people have a good understanding of how to find application vulnerabilities and exploit them, they often don’t understand how software development teams work, especially in Agile/DevOps organizations. This leads to inefficiencies and a flawed program.”
This led to a situation where the security team was essentially out of the DevOps picture, unable to have a real impact on the final product in an efficient manner.
Over the past few years, more and more enterprises and organizations are making a concerted effort to shift security practices left and implement security throughout the DevOps cycle, ensuring that it doesn’t impede time to market.
According to recent DigiCert research, organizations are already invested in secure DevOps. Research results show that 49% of the organizations surveyed said that they are in the process of integrating security with DevOps and that another 49% said that they already completed their DevOps security integration.
Change is never easy for an organization, and managing a secure DevOps cycle is quite a transition on many levels. Teams and experts need to adjust themselves to a new organizational structure, new processes need to be adopted, new skills need to be developed, and new tools need to be integrated. As companies continue to adopt a secure DevOps approach, they should be aware of the common challenges management teams face as they set out on this journey.
Here are a few barriers organizations face on the road to ensuring an efficient and innovative secure DevOps cycle:
Adopting a secure DevOps approach requires teams and experts that aren’t used to working together to cooperate, creating and maintaining a development lifecycle that delivers quickly and securely.
This requires all players (we’re looking at you developers, operations, and security professionals) to respect the expertise that their counterparts bring to the table, and learn how to work together to ensure the process and end product are up to everyone’s standards.
It’s up to all stakeholders in the organization to ensure this transition succeeds because when it does, the sum of the secure DevOps cycle will prove greater than its individual parts.
It’s hard to build a strong and secure DevOps outfit without the expertise to support it.
As organizations are learning that security requires just as much expert manpower as infrastructure and quality, the cybersecurity skills gap is becoming a real issue. Some experts predict that by 2019, there will be a shortage of 2 million cybersecurity professionals.
How can you make sure that your DevOps teams are proficient in security?
IBM Security General Manager Marc van Zadelhoff recommends “[Creating security] roles that prioritize skills, knowledge, and willingness to learn over degrees and the career fields that gave people their initial work experience.” Van Zadelhoff says many of IBM’s successful new hires “were curious about security and motivated to learn the skills.”
If organizations innovate their approach to hiring security personnel, they will most probably gain ambitious, motivated professionals that are willing to roll up their sleeves and think out of the box.
Speaking of thinking outside of the box, the old-school, waterfall security practices typically began very late in the product lifecycle. This approach is at odds with the agile secure DevOps process. If organizations really want to embed security throughout their DevOps cycle, application security tools are required.
Using continuous automation tools throughout integration and deployment will help boost security, quality, and compliance. Organizations need to seriously address the fact that today, most of their code is open source and 3rd party, and insist on good code hygiene from the start of development, throughout the DevOps cycle.
Integrating technologies like Software Composition Analysis tools early into their processes will help DevOps teams to ensure the products that they are delivering are as secure and risk-free as possible.
Organizations no longer need to choose between security, innovation, and speed. The secure DevOps approach allows them to have their cake and eat it, too. They just need to remember the basic ingredients of automation, innovation, and cooperation.