Unless you’ve been living under a rock (or don’t work in the tech industry), you’ve probably heard the term DevOps thrown around. A mashup of “development” and “operations,” DevOps is a mindset and set of practices that focus on collaboration and communication between software developers and other IT professionals with the goal of automating both software delivery and infrastructure changes.
The four major tenets of DevOps are:
As this culture has proven successful and spread throughout many industries, people have tried to integrate other parts of the technical teams into the same DevOps workflows that are working so well for their organization. Security teams, in many ways, have been the laggards, and have yet to really include themselves into the DevOps conversation. Luckily, in recent years, much more focus has been placed on the security side.
Integrating security operations into your existing DevOps workflows means both applying DevOps principles to security and incorporating security into the development and operational processes. It’s how we operate at Threat Stack, and we believe it’s how all security teams should operate if they want to achieve maximum efficiency and effectiveness.
But why, you ask?
Key Benefits of a DevOps Culture
(as applied to development, operations, and security)
|Benefits of DevOps||Benefits of Security-Enabled DevOps|
|Shorter time-to-market for software||Security doesn’t slow down time-to-market|
|Improved customer satisfaction||Improved customer security and peace of mind|
|Better product quality||Security baked into high-quality product|
|More reliable releases||Security woven into every release|
|Improved productivity and efficiency||Security doesn’t hamper productivity or efficiency|
|Increased ability to build the right product by quick iteration||Increased ability to build the right security functions into every product iteration|
Why DevOps Practices Are Good for Security
DevOps achieves the benefits listed above by increasing the speed of feedback loops inside development and operations teams.
The problem with a DevOps culture that doesn’t have security built in is that security teams often wind up frustrated when vulnerabilities are not caught before reaching production. At the end of the day, it doesn’t matter how fast feedback loops or continuous delivery cycles are if you’re releasing products that are riddled with vulnerabilities. You may even find yourself backtracking to fix security issues, taking up more time than DevOps practices save.
So it naturally follows that security needs to be involved in the development process from the beginning. Otherwise it will get left behind. Development and operations teams can’t (and won’t) slow down to accommodate security teams, so it’s up to security teams to insert themselves into the conversation early on.
By integrating security with the continuous integration (CI) and continuous deployment (CD) pipelines, the security team is able to participate in rapid feedback loops in order to identify and fix problems before they become an issue in production.
How to Build a DevOps Culture for Security
So how, exactly, do you go about integrating security into the DevOps process? The good news is that you don’t need to make major changes to your development methods or cycles. The most important thing is to get security using the same tools and processes that your Dev and Ops teams are already using, from Kanban boards and scrums, to Configuration Management and Continuous Integration systems.
For example, security teams should integrate source code scanning and system-level vulnerability management inside the application and system build process. This way, they can better deal with security issues in real time and maintain the speed of the rest of the organization.
Here’s how it works at Threat Stack:
|Culture||All teams — not just security practitioners — participate in and own various security processes.|
|Automation||Security scanning and compliance are built into the same system automation tools we are already using (Chef, Jenkins, etc.).|
|Measurement—||Threat Stack’s Cloud Security Platform is used to protect our systems where we constantly scan for vulnerabilities and alert on anomalous activity. Tracking our success over time.|
|Sharing||Developers are given broader access to systems they are writing code for, working closely with operations team members to better understand how they will support the systems that run their code.|
The Difference a Security-Enabled DevOps Culture Can Make
With security left out of your DevOps culture, you have two possible outcomes: either security slows down development cycles (unlikely to be allowed), or releases happen without security oversight. The latter, and more common, outcome leaves you open to security vulnerabilities, attacks, and reputation damage. Not a risk worth taking, in our opinion.
In today’s culture of continuous release, it’s not just good to move fast, it’s essential if you want to stay competitive. But you can’t move fast and sacrifice security. The good news is that having a security-minded organization makes it possible to release high-quality software on a continuous basis while ensuring that it is safe and ready for prime time, every time.