While the technologies, processes, and cultural shifts of DevOps have improved the ability of software teams to deliver reliable work rapidly and effectively, security has not been a focal point in the transformation of cloud IT infrastructure.
SecOps is a methodology that seeks to address this by operationalizing and hardening security throughout the software lifecycle.
Unfortunately, there seems to be a disconnect between what organizations want when it comes to security, and what they’re actually able to put into practice. In Threat Stack’s recent report, Bridging the Gap Between SecOps Intent and Reality, we found that 85% of organizations believe bridging the gap and employing SecOps best practices is an important goal. Yet just 35% say that SecOps is a completely or mostly established practice at their organizations, and 18% say it’s not established at all.
In this post, we’ll discuss a number of facets of SecOps — what it is, it’s goals, how it benefits organizations, best practices for implementing a SecOps program, to name a few — with the aim of giving you some helpful background and, perhaps, some of the motivation you need to get a SecOps program established in your organization.
Goals of SecOps
At the highest level, the goals of a SecOps program are to:
- Ensure management’s buy-in and commitment to a realistic roadmap for iterating and improving security throughout an organization
- Establish cross-team collaboration with security built into the software development lifecycle
- Create increased visibility into the security of the infrastructure and, ultimately, create a stronger security posture
Definition of SecOps
SecOps is a methodology that aims to automate crucial security tasks, with the goal of developing more secure applications. The emergence of SecOps is driven in part by the transformation of enterprise infrastructure and IT delivery models as more enterprises are taking advantage of cost-effective cloud computing models and the speed and agility benefits that are gained through the cloud.
SecOps is the practice of fostering a culture where security concerns neither start nor end with the Security team. While a company that shares plaintext passwords will not be using centralized access controls overnight, the process of becoming a SecOps-oriented team begins with making sure the Security team is not siloed and that security concerns are not an afterthought.
SecOps is a software development philosophy and development system. This system is much like the software development system known as DevOps. To understand the development side of SecOps, you first need to understand DevOps. DevOps is the next generation of what is known as the Agile software development method. Over the past decade, “Agile” has been used to manage the acceleration of software versioning and improve the output of many programming teams.
While SecOps shares many of the development practices of both DevOps and Agile, it has an increased focus on security for all involved in the software creation process. This method incorporates greater collaboration between programmers, designers, and those responsible for security to consider threats that could affect users and software during the entire development cycle.
Benefits of SecOps in Development
A recent study performed by Enterprise Management Associates (EMA), identified three major benefits that come from incorporating SecOps into the development process.
3 Benefits of SecOps Noted by the Study
- Return on Investment: The number one benefit is the ROI when compared with previous security measures.
- Improved Productivity: With security procedures folded into the entire development process, operations were found to be more productive as a whole.
- Reduced Resources: The improved performance provided a better usage of cloud storage and services, reducing or better-using the resources.
Other Common Reasons for Implementing SecOps
- Fewer Cloud Security Issues: SecOps operations take measures to improve the security of cloud platforms and lessen the risk of issues and threats related to these platforms.
- Fewer App Disruptions: Better security implementations will likely translate into fewer issues with the application being developed. Less downtime means a better user experience and development environment.
- Better Auditing Procedures: In Agile and other development methods, security checks would occur toward the end of the development process. SecOps provides for more thoughtful, smoother evaluations.
Key Roles of a SecOps Team
The most critical difference between SecOps and other programming philosophies (e.g., Agile, DevOps) is that every member of the development cycle is aware of and responsible for security. Security operations are “baked in,” as one source puts it, to the entire culture of an organization. For example, a sales rep may report a suspicious email, or a support engineer might notice a SQL injection attempt.
Those most affected by a switch to SecOps methods will be those heavily involved in development and security. Programmers and security personnel will shift from working largely independently, to collaborating quite closely with other team members at all stages of development. Distributing the responsibilities of security allows Security teams to scale. Everyone in the company should have a basic understanding of how their work impacts security. However, everyone with any role (large or small) in software development should be included in SecOps.
Basic Components of SecOps
In addition to the development procedures most teams are accustomed to, certain augmentations will be added to the process.
Some of these changes include:
- Earlier Analysis: In many organizations, large batches of coding or entire programs are checked for security issues. In SecOps, smaller code segments are routinely checked.
- Increased Transparency: The three components of SecOps (development, security, and operations) are closely tied together with increased collaboration and greater transparency.
- Security Improvements: While DevOps provides incremental improvements to development, SecOps also should steadily improve security alongside programming and operational aspects.
- Threat Awareness: Security teams are well aware of threats, while the rest of the team will likely be less familiar. Training will be required to ensure that everyone shares the same level of understanding.
Best Practices for Implementing SecOps in Your Organization
Shifting team culture from Agile or DevOps to include security measures makes sense but could slow the development process at first. Programmers are used to working quickly to “ship” new features and versions of software. Security is usually not baked into the process and is typically more reactive in nature (only being considered when there is an issue).
Here are several best practices to keep in mind when incorporating SecOps into your methodology.
Provide SecOps Training
Some organizations may opt to develop their own SecOps training and procedures. Others may choose to use established frameworks and training resources. Third-party courses are readily available and can be used to quickly implement the training process.
Avoid Potential Pitfalls
One of the benefits of SecOps is the improved teamwork between all parties involved in software production. Where Security teams and Developer teams would once disagree on how code gets to production, having closer cross-team collaboration will mitigate this issue.
Provide Proper SecOps Tools
In addition to popular development tools (e.g., GitHub, AWS), certain security tools can help you implement SecOps into your system while maintaining speed. Automation platforms can manage many of the security procedures and pair perfectly with a well-documented SecOps process.
Final Words . . .
As enterprises and SMBs alike continue to leverage cost-effective solutions for developing secure applications in less time, SecOps is becoming a prominent philosophy and practice across organizations of all sizes. By implementing SecOps, companies can reap a multitude of benefits stemming from the integration of operations, security, and development functions and the alignment of their goals, including more efficient operations, reduced resource utilization, fewer cloud and app security issues and disruptions, and more.
SecOps Playbook for Cloud Infrastructure
Part 1: Defining SecOps and Goals for Your Security & Ops Teams