With organizational culture – and along with it processes and technology – evolving at a pace we’ve never experienced before, we can’t sit back and wait for the “DevOps fad” to fade away. It’s not a fad, it’s an evolved way of software development. And security cannot be the elephant in the room, the team everyone avoids because it just gets too complicated. Security must evolve, as well. We must become SecDevOps.
Many organizations are now routinely pushing out tens if not hundreds of releases and updates on a daily basis. If there’s ever been a wake-up call for the security industry to change their outdated ways – DevOps is it.
And, believe it or not, DevOps actually needs security as well. Your team’s’ expertise and knowledge of the security and compliance issues that need to be addressed in every application makes you a valuable piece of the puzzle.
With help and guidance from the security team, your organization can push secure releases on the first try – and save lots of money and time along the way. DevOps can actually be a positive cultural change that security can embrace – if you’re willing to accommodate the cultural and technological changes that are needed on your part.
Many a security expert has feared the DevOps revolution knocking on their organization’s door. As Andrew Storms (@st0rmz) put it in a DevOps.com interview, “People see that the organization has brought together the developer and the operations team and they fear that everything will become the Wild West. They think that they’ve lost control of a situation that they barely had control over to begin with.”
Fear not. Here’s why DevOps can end up being a major benefit to security.
DevOps Builds a Culture of Collaboration and Breaks Silos
Julie Tsai, Walmart’s director of engineering in information security said it best: “In order for infosec and agile to be effective in an organization, you can’t have it locked up with a few people or a few departments that are narrowly looking at their portfolio of work.”
One of the main goals of DevOps is to create a culture that values collaboration and finding ways to make the work better for all the teams involved. That offers a fantastic opportunity for security to become a team effort, and for the security team to become team players.
Bridging the gap has been a continuous struggle for the security community – and DevOps can be the catalyst for a real change. Developers have always struggled with writing secure code, and many a security tool has been thrown aside because the development team was never properly instructed on how to use it.
With DevOps, the silos come down, and that means security can be better integrated, more automated, and therefore easier for the rest of the development to understand and use. This also offers the operations teams better insight into the security health of your applications, so they can alert you if something pops up while simultaneously attempting to stop attacks.
Feedback loops among all three teams are also tighter, giving developers more immediate feedback on the security issues found in their code. Security will start to be seen as another quality check.
When security teams stop acting like the law and instead be a guiding light that saves energy and time along the way, organizations can start seeing the benefits of the security practices implemented – and security will start seeing DevOps in a whole new light.
DevOps Helps Align Security with the Rest of the Business
With the culture shift that takes place in DevOps organizations comes another benefit for the security team – aligning themselves with the rest of the business. With integrated security testing creating the ability to catch issues much earlier in the SDLC, security budgets are driven down and refocused to earlier security processes. At the moment, as a DevOps.com article reported, organizations spend only $.5 billion collectively on software security, while they spend $20 billion on network security, $10 billion on host security and $5 billion on data security.
More importantly, though, both the risk of a breach is lowered, as well as the time for breach discovery. The policies and procedures you put in place to detect recurring, critical issues, making decisions based on risk is made much easier. To put it in numbers, Ponemon’s latest Cost of a Data Breach report found that breaches cost U.S. companies an average of $6.53 million and that the average time to detect a malicious breach was 256 days. When SecDevOps is done right, those risks will be significantly lowered. And the board understands risk.
Security can enable other areas of the business as well, fueled by the DevOps culture. Consistency and speed only go so far in developing software without taking security into consideration, as well. But when the security team is better integrated into the development culture, it’s easier to secure new developments and innovations from the start.
Enabling innovation with security considerations already included in the plans will both help the business and help establish your team as a valuable cornerstone of software development.
Related: 10 Steps to Secure Agile Development
DevOps Makes Automation a Priority
The driver behind DevOps is to create a streamlined, simple approach to software development where whatever can be automated is – and is yet again another wonderful opportunity for security to be better implemented and more easily monitored by all the stakeholders. As Julie Tsai said in another presentation, automation is “the key to letting in different groups where maybe they don’t traditionally have access.”
Working with your fellow operations managers and development team leaders to develop automated processes that include checking security functions and policies, especially on the security-sensitive areas of code you’ve mapped, along with identifying insecure components and regulatory issues and building secure VMs to work in, offers a whole new level of involvement that security just hasn’t been afforded before. Using static code analysis, you can ensure that only code that passes certain security, regulatory and compliance standards will be used.
As Josh Corman has said, “the only way that security scales is when you make the easy thing the safe thing.” Make that your mantra as your work with the Dev and Ops team during your regular meetings.
DevOps Makes Security Everyone’s Responsibility
One of the most challenging yet rewarding effects of an organization shifting to a DevOps environment is the idea that security is now touched on by everyone in the SDLC. It can be scary to hand over your security duties to other teams, but doing so can lift such a burden off your team – and free up your team to tend to more pressing security matters.
As your organization continues to crank up the amount of code it ships on a daily basis, you wouldn’t be able to keep up a strategy of pen-testing or manually reviewing every line – it’s just not physically or financially possible. By integrating security testing starting at the beginning of development, you’re shifting security to the left and releasing lots of the pressure that’s been historically placed on the security team to ensure releases aren’t stalled by late-stage SDLC testing.
Gene Kim (@RealGeneKim), a DevOps pioneer and one of the leading voices on how security can be successful in DevOps environments, agrees with the idea of having security testing running alongside other quality tests. “Developers own the responsibilities of building and running the test,” Gene said at last year’s RSA. “It’s happening after every code commit, and these are exactly same sort of behaviors and cultural norms that we want in information security. After all, security is just another aspect of quality.”
Take the opportunity DevOps provides and use it to help show the importance of security to your fellow dev and ops teams. Choose security champions among the developers who show interest in security and take them to OWASP meetings. Hold CTFs and more casual security trainings to show the fun side of security – while they tune their skills at the same time. Have an open-door policy, where developers and operations can ask questions they have about security and offer their valuable feedback on how they use the security tools and integrations in their day-to-day work.
More on SecDevOps: