The adoption of DevOps in enterprises around the world has created a whole new meaning to constant, rapid innovation and delivery. Iteration after iteration, DevOps is designed to improve the end product endlessly, pushing the limits of speed and collaboration. Don’t sacrifice security while achieving speed – embrace DevSecOps.
This emerging model of software development has created both a gap and an opportunity where security is concerned. With speed as the driving force of the DevOps movement, the perceived or actual extra time needed for security testing and remediating high-risk findings has caused security to be put on the backburner in the most important organizational change in decades. A lack of security awareness from the board to the development, QA and operations teams mean that security isn’t taken seriously at any level of the organization.
At the same time, DevOps processes create high-risk environments with endless code pushes and last minute fixes that bypass any security testing. At best, certain security tools or processes are accidentally ignored or shelved. At worst, they’re being skipped over at the request of development managers – it could even be embedded in the company culture.
Think about it this way: You wouldn’t build a high-speed roller coaster without safety harnesses just because it would take too much time to build them correctly. You may have just built the fastest rollercoaster in the world – but the first person to fall off would be the end of your amusement park. In a sense, that’s where we are today. But how do we go about fixing it?
DevSecOps as a Business Priority
So, in the face of being removed completely from the software development lifecycle, or SDLC, the DevOps revolution has created an opportunity for security to be truly integrated into the SDLC, once and for all. Secure DevOps does exist and, while there are a multitude of names, from SecDevOps to Rugged DevOps, we like to call it: DevSecOps.
“The purpose and intent of DevSecOps”, as DevSecOps advocate Shannon Lietz puts it here, “is to build on the mindset that ‘everyone is responsible for security’ with the goal of safely distributing security decisions at speed and scale to those who hold the highest level of context without sacrificing the safety required.”
Changing the way security is integrated and how it supports the DevOps ecosystem may be a challenge – but it’s a change well-worth making. Their success hinges on having solved the two main barriers to security in DevOps: Lack of security awareness throughout the organization, and a lack of effective security automation throughout the SDLC. Without addressing these two issues, security will continue to remain a silo – and be ignored.
Creating a Culture of Speed AND Security Awareness
The need for speed and constant innovation is an order that normally comes from the top down, with the adoption and promotion of the DevOps culture coming from management. In order to shift from DevOps to DevSecOps, you’ll need commitment throughout the organization. Step one: Get your executives on board.
Promoting Security Awareness on the Board
Executives are usually keen to avoid reputational damage and liabilities, so making sure the board is up to date on the latest security and data breaches and how those companies were negatively affected is a strong case to helping executives get on board with a shift from DevOps to DevSecOps. If the burden of not correctly securing DevOps environments isn’t fully understood by the board, it’s impossible to expect the organizational structure to change.
It’s also important to clarify that organizations that embrace the security team within their DevOps processes are not only able to keep up with the DevOps demand – they’re often seen as companies to look up to. Offering success stories (and financial reports) from DevSecOps companies like Netflix and Etsy can make huge strides for getting the board on board.
Promoting Security Awareness within DevOps teams
Security awareness on the development, QA, and operations teams ideally should start on their first days on the job. Ideally you’ll have a security onboarding procedure for new employees that cover secure coding tutorials and your company security tools, policies and procedures.
For veterans whose first day on the job was long ago (and likely didn’t involve security training), a different approach can be taken. This is where the idea of Application Security Champions can help make the cultural shift within DevOps teams. Pinpoint those developers who show an extra interest in security and have influence over their peers and “recruit” them to help spread word of the importance of security’s involvement in their work. Bring them to OWASP and secure coding meetups, use your newly required support of the board to encourage developers to offer monetary or other prizes to high-security performers, and most importantly – make security accessible, and wherever possible, fun for them.
Read more: Why You Need an AppSec Champion on Your Side
Automating Security Testing Throughout the SDLC
Automating security in alignment with the DevOps SDLC is the second crucial piece to the DevSecOps puzzle. In DevOps, automation is used to cut down on error and speed up repetitive processes in order to use actual brainpower on more important tasks. Why should security be different? By enabling developers to test their own code for security issues that would allow them to get instant results and remediate the issues on the spot, everyone wins. Source Code Analysis, when embedded into the Development and QA ecosystems, is a core component of the move to DevSecOps.
To successfully automate security testing in your organization, it’s important to take the time to first understand how DevOps processes currently work, and where security can be easily automated and integrated within those processes. Furthermore, by keeping security as simple as possible and automating vulnerability reporting, you make it impossible for the DevOps teams to skip over security.
Watch: Software Security & Early Prevention of Vulnerable Code webinar with Troy Hunt
DevOps as a movement is still in its infancy, and AppSec practitioners still have an opportunity to make DevSecOps a reality before it’s too late. Start small, start sloppy – just start the shift towards DevSecOps. There is a place for security in DevOps, you just have to help make it happen!