DevOps is intended to dramatically increase the pace of application development and support. This is expected to allow more mistakes to get through to production environments, but that’s OK because they can be corrected right away rather than have to wait for the next development cycle to play out.
But this can be dangerous when it comes to security. Most vulnerabilities, after all, are not evident until they are exploited, and even those that are caught right away can still leave apps and data vulnerable for hours, or even days.
This is why DevOps requires a new approach to security – one that calls for a renewed commitment by all team members to place protection of data and apps as a core element to their contributions to the overall project.
According to automation firm Sonatype, organizations with mature DevOps practices were more than three times as likely to integrate automated security functions into their workflows than organizations that do not employ DevOps. This is particularly important for groups using open source components, which have seen a 55 percent increase in breaches in the past year alone. As well, 88 percent of mature DevOps programs are making investments into application security training, although nearly half of developers recognize the importance of security but find it too time-consuming to implement on a regular basis.
In many cases, failure to properly implement security in a DevOps environment stems from confusion as to who is responsible for what, says NGINX’ Rob Whitely. In a recent interview with Information Week, Whitely described the key aspects of integrating security into a DevOps culture, including enforcement of proper security practices, adequate testing and feedback, regular policy reviews and early analysis and automation. It is important for both developers and operations people to take ownership of security throughout the collaborative process, which in many cases can improve security postures without dramatically increasing budgets.
Integrating security into the fabric of DevOps will require the enterprise to shed some long-held practices, says Evident.io’s John Martinez, which is not always easy with a critical function like security. Nevertheless, the pace of DevOps all but eliminates the effectiveness of traditional security checklists and audits. When new code is rolling out on a continuous integration/continuous deployment (CI/CD) model, security updates must keep pace with code changes. As well, some long-time security experts may balk at increased reliance on automation, but the fact is that manual processes cannot keep pace when other aspects of the DevOps pipeline, such as configuration changes and workload distribution, are fully automated.
Ultimately, the goal should be to bake security into the application development process, says WhiteHat Security CEO Craig Hinkley. Speaking to Silicon Republic, Hinkley noted that developers are not security experts and security experts are not developers, so it is incumbent upon the enterprise to get these two groups together to figure out how security can be embedded into the application from the very start. By sharing this responsibility between both groups, organizations can avoid the inevitable conflict that arises after a data breach in which developers lay the blame on security while security chalks it up to bad code.
It’s been said the DevOps is a soup-to-nuts reimagining of IT and the knowledge work process. If that is the case, it shouldn’t come as any surprise that security will see its fair share of changes as well. The danger, of course, is that organizations will get so far ahead with the “dev” and “ops” aspects of this new way of working and forget about security until, of course, it is too late.
Up until recently, security has been an afterthought when developing new products and provisioning new infrastructure, and the results of that oversight are becoming clearer by the day. With a new operational paradigm taking shape, the enterprise has a unique opportunity to ensure its security right from the start – all it needs to do is seize it.
Arthur Cole writes about infrastructure for IT Business Edge. Cole has been covering the high-tech media and computing industries for more than 20 years, having served as editor of TV Technology, Video Technology News, Internet News and Multimedia Weekly. His contributions have appeared in Communications Today and Enterprise Networking Planet and as web content for numerous high-tech clients like TwinStrata and Carpathia. Follow Art on Twitter @acole602.