Locks aligned with bolt

5 ways to align security with your DevOps strategy

In 2016, DevOps reached a tipping point. Half of all organizations surveyed indicated that they are actively using it as a model for releasing and maintaining custom applications, according to the Gartner Research note DevSecOps: How to Seamlessly Integrate Security Into DevOps, September, 2016. Yet, about 80 percent of those organizations surveyed expressed concerns that information security policies and teams are preventing them from achieving the level of agility that DevOps promises.

Development, operations and security all want to see the business succeed, but they look at success—or more specifically, the metrics of success—from different perspectives. In our hyper-competitive world of digital business transformation, software is disrupting entire industries. Consider what Uber is doing to the taxi business, for example. Increasingly, the measure of success that matters is survival, which requires keeping pace with the business demands for innovation without introducing unnecessary risk.

Security teams, in some cases, are justifiably suspicious of DevOps. Can automated testing really make code more secure? Is the DevOps culture of failing fast compatible with good governance?

Rather than wait for security and compliance to find ways to support DevOps, the DevOps team should make the case that integrating automated security and regulatory controls into DevOps processes is in the best interest of the organization as a whole. In DevOps terms, here are five ways that organizations can incorporate the “shift left” of security.

What is the true state of security in DevOps?

If security is a bottleneck, expect to be avoided

There is no value in a DevOps program that does not increase release velocity. A core tenet of DevOps is to look for constraints that cause the backup of work in progress – security can expect to receive the spotlight as a result.

Traditional waterfall-style approaches of build it, test it, hand it over to the security team, and test it again are inefficient when compared to the continuous integration (CI) and continuous delivery (CD) approaches of DevOps.

Many DevOps initiatives have reduced delivery cycle time, but security practices and policies are becoming the bottleneck to rapid production delivery, much in the way that overblown release management practices were four orfive years ago.

If security resists participating in the DevOps program, the temptation to circumvent security testing and policy reviews will become overwhelming.

Automated testing is the backbone of DevOps—use it to security’s advantage

Testing custom code for vulnerabilities traditionally takes place after development is complete. But if thousands of checks take a week to run, you’re breaking CI/CD in DevOps. Instead, apply a small-batch testing philosophy to security testing, using as much automation of application security testing (AST) tools as possible.

The goal should be to deliver more secure code at the speed of business, rather than to patch or replace code reactively based on manual reviews or in response to breaches. In this way you can  avoid wasteful rework, which contributes to the business falling behind competitors.

While no automated testing is perfect, AST can look for known vulnerabilities, policy violations such as the use of prohibited libraries, and certificates that expose private keys, as examples. This contributes to more secure code before it is released.

A DevOps collaboration culture can make security more pervasive

Collaboration is a key part of DevOps culture. Developers and operations are closely connected, but there is room for security too. Security professionals should consider providing checklists for developers as they integrate their code. Provide training on policies to developers and operations staff, including explanations as to why those policies are in place.

Offer best practices to developing secure code that help to prevent typical attacks such as SQL injection, cross-site scripting, and buffer overflows. Help operations teams keep current with secure configurations for infrastructure, be it container-based, cloud, virtual or physical.

In return, security must embrace DevOps cultureas well. Keep in focus the goal of providing the business with agility as it relates to software. Practically, this results in activities such as blameless postmortems, where the goal is not to cast blame but to prevent recurring problems. It means organizing work through the use of Kanban boards, and leveraging lean manufacturing principles to drive efficiency. Study these techniques to participate more fully in DevOps, and find ways to embed security in them.

When vulnerabilities and violations are found, address them faster

The automation built into the DevOps platform makes code changes traceable, which can reduce the time required to find the source of a previously unknown vulnerability, thereby reducing exposure time and risk. Also, the smaller the batch size, the easier it is to trace.

From an operations perspective, using an infrastructure as code approach for provisioning operating systems, LDAP, and packages in code form makes the environment more reproducible and traceable. And you can share operational monitoring, used as a feedback loop for development, to provide feedback to security on unusual activity.

DevOps reduces the workload of compliance

Automation not only provides value by increasing the release velocity of business-enabling IT services, but also enforces the consistency of processes to reduce configuration mistakes, which can lead to vulnerabilities and compliance violations.

DevOps is based on auditable processes. These create a platform that you can test, allowing your organization to demonstrate to an auditor that the outcome is predictable. An auditor can trust the artifacts produced by the automation used in DevOps, while segregation of duties and access controls, including identity and access management, and privileged access management, can be built into the platform. This results in reduced workload to demonstrate that you are working according to your own policies and controls.

DevSecOps: The future of DevOps?

Perhaps the future of DevOps includes a name change to “DevSecOps,” or some derivation thereof. Regardless of what you call it, however, DevOps needs the support and participation of security and compliance to accomplish its goal of accelerating releases if it is to meet the needs of hypercompetitive business environments. Security, similarly, must take advantage of what DevOps can provide to support a more efficient security program.

What is the true state of security in DevOps?

Image credit: Flickr

Topics: DevOpsIT Ops