Security: a Missing Ingredient in Many DevOps Implementations

The expanded, technology-driven opportunities in today’s digital economy comes with unprecedented competitive pressures to innovate swiftly and with precise execution – pressures that figure to intensify as continuous iterating in response to customer preferences becomes an even more deeply ingrained expectation. Many organizations are adopting or considering DevOps as a way to deliver innovations more quickly.

But factor in the increasingly challenging security landscape, and it is not enough for organizations to embrace and deploy DevOps. The most successful organizations of the future will make DevSecOps a cornerstone of their business operations.

DevOps is driven by moving fast and in smaller pieces. It provides organizations with a tremendous array of realized benefits, including improvements in code quality, cooperation among stakeholders, development processes and, ultimately, dramatically enhanced business velocity.

Essentially, the idea is to remove the human component from builds, delivery and deployment – as it turns out, we’re pretty error-prone! Most promising is the ability to automate everything, deploying new builds with confidence while providing the necessary artifacts so that the audit function is convinced all was done properly. 

So, with so many benefits, why is DevOps not more commonplace? The biggest obstacle is organizational culture. DevOps represents a major cultural change. Organizations are generally used to working in siloes: a QA silo, an audit silo, a product management silo, a security silo, a development silo, and so on. These functions are accustomed to adding their piece and throwing their work over the fence to the next group. That doesn’t work with DevOps, which requires the collaboration of a cross-functional team.

Oftentimes, the group that is fastest to want to move toward DevOps is development itself. In many cases, development is well down that road and not waiting for others to catch up. This opens up the danger of software being deployed that has not integrated the needed security principles because the security team is looped in late in the process.

While most organizations still operate the old-fashioned way, there are pockets where DevOps is rapidly gaining ground. Many organizations I work with are familiar with DevOps and can proudly cite their continuous integration, continuous delivery, and continuous deployment (CI/CD) pipelines. Yet even among organizations that understand the potential of DevOps, in many cases, security is being overlooked, leaving developers to try to determine the right security protocols to put in place.

While it is great to see developers being security-minded, the security team needs to become an integral part of the equation, truly making the approach DevSecOps. Simply, DevSecOps is the extension of the DevOps culture with the inclusion of security. The security team shifts left to have early involvement in the design phase, ensuring that the items they require from a security perspective can be automated and are in the necessary CI/CD pipelines.

Security risk and compliance tools should be integrated into toolchains and enforced. If the code does not pass security tests, the build breaks and does not get deployed, kicking it back to the developer for further refining. 

So, how can organizations get started? There are nine key principles:

  • Run CI/CD pipeline locally
  • Integrate quickly and often
  • Practice test-driven development
  • Keep changes small
  • Get continuous feedback
  • Decomposition (break bigger projects up into smaller pieces)
  • Have a fast CI/CD pipeline
  • Automated unit testing for all code units
  • Trunk-based development

From an execution standpoint, a strong learning culture within the organization and a comfort level with cross-functional teams are critical to success. For larger organizations, it is unrealistic to simply proclaim that they are going to start using DevSecOps right away.

In other words, the big-gang theory usually backfires. The best approach is to pick a functional group to work through the initial kinks. Then, other groups can draw upon lessons learned to move much faster. Smaller organizations might be able to succeed with a broader and swifter implementation.

We have entered an era in which DevSecOps can be the difference between organizations thriving or spinning their wheels. Organizations around the world are finding new ways to deliver customer value by leveraging technology, but successful digital transformation requires that technology must be deployed effectively and securely.

Digital transformation also calls for a highly iterative process to get the model perfected. That is where DevSecOps becomes so crucial; it allows organizations to iterate much more quickly while also taking needed security considerations into account.

Any company undergoing digital transformation needs to have a DevSecOps strategy. The ability to change a single line of code and then deploy with confidence – swiftly running through all the required building and security checks – is a game-changing capability of which enterprises should take full advantage.

What’s Hot on Infosecurity Magazine?