Click to learn more about author
Anastasios Arampatzis.
DevOps is transforming how organizations develop software faster. DevOps utilizes agile methodologies to integrate and streamline the software development and operations process. The result is faster time to market and a more efficient development process. However, DevOps processes are challenging the way security integrates with fast development cycles.
Why Is DevOps Security So Different?
In the traditional, sequential “waterfall” software development model, security testing was happening only during the last stages of the process. This could result in several changes to close security gaps until the product complies with the various security recommendations imposed by regulations, policies, and standards. Fixing errors and closing security gaps at the end of the software development lifecycle made the development process longer and more expensive.
Implementing a DevOps model requires collaboration between teams throughout the software development lifecycle. Changes are an integral part of the development process, which results in producing secure products faster. A continuous integration/continuous deployment (CI/CD) pipeline makes automation a critical part of DevOps, being implemented at set intervals.
Challenges for Integrating Security into DevOps
While DevOps promises to make applications more secure by integrating security into the software development lifecycle from the early stages, this is not the case. Introducing DevOps security presents several challenges.
DevOps Velocity
Security teams must adjust to the speed of DevOps. Long software development cycles have been reduced to just a few weeks. Coding is being done by multiple disperse teams so that not only is code being developed more rapidly, but the infrastructure is also changing rapidly through automation and agile tools. That severely impacts the time that security teams have to do due diligence.
Security should not be a barrier to agile software development and needs automation and orchestration tools that match the velocity at which developers are producing code. Without a fully automated toolchain, security can delay the DevOps process by hours or days, breaking the principles and workflows of DevOps.
To achieve this level of automation, security tools need to integrate into the CI/CD pipeline and operate at warp speed. If the security tools are DevOps friendly, most security tasks will be performed automatically in the same pipeline as the one used for developing apps. Only security issues that require human intervention will be flagged for developer action.
Instead of security hindering code production and app development, it needs to be an enabler of safe products. Even if developers do make some mistakes, these would not be disastrous. However, tools alone will not transform DevOps into DevSecOps. It also takes a culture of respect and collaboration between developers and security teams to make that work.
The Shifting Role of Security
Security teams and developers oftentimes have conflicting goals, which creates tension. Developers want to push their software into the market as soon as possible. Security teams demand thorough testing and fixing security flaws before releasing anything. In DevOps environments, this kind of tension is not acceptable. To reduce this noise, security teams need to shift their roles.
Security needs to become a consultant to the developers. That shift will benefit security because instead of being siloed, they will begin working closely with software developers, and they will develop an understanding of the constraints the developers are dealing with.
This shifting role will benefit the automation and velocity of the CI/CD pipeline and will result in fewer products being rejected as flawed. Productivity and time to market will be enhanced. The creation of safe security products will also increase the trust customers place in the organization, which will be translated into increased revenues.
The shifting role of security in tandem with the proper security automation tools will minimize human intervention into DevOps processes. With security being integrated into all testing phases, any problems discovered will be sent automatically back to the developer without any further intervention by the security teams.
Security involvement will only be necessary only to consult the developer of the implications for failing to fix a security bug. For example, to explain that the lack of strong encryption with keys used only for production will result in the app being compromised within seconds of being released.
The Skills Gap
Security professionals also need new skills to better secure apps in a DevOps environment. Software developers are using a variety of technologies and platforms to help them accelerate and innovate, such as IaaS cloud platforms, containers, microservices, and APIs.
Those new skills include the ability to configure these technologies to avoid security gaps that can be exploited by malicious actors. Security teams need to have these skills for automating traditional security controls and integrating them into the development process. As we have touched upon before, integration is no longer a question. The question is how security professionals are going to integrate security into DevOps.
Although traditional security practices might still work for legacy apps and systems, the migration of businesses into cloud and DevOps practices dictate the need for security professionals to acquire new skillsets. This new foundational knowledge will help them secure assets that lie beyond the traditional corporate perimeter. New skills will also benefit professionals, making them more marketable and credible. With the skills gap reported as a major barrier to effectively implementing security controls in a perimeter-less business environment, professionals who demonstrate a solid understanding of the cloud and DevOps will become valuable assets to any organization.
Conclusion
DevOps is causing a major cultural change in security. Businesses need to embrace this change if they want to keep competitive and thrive in a shifting business environment. Security needs to be an ever thought and not an afterthought in DevOps. Failure to “bake” security into software lifecycle processes will result in producing insecure applications. Adversaries are always looking for the easiest way to break into corporate networks and an app with security gaps will make their life easier.
Security and DevOps need to overcome the differences separating them and work for the common goal of producing reliable, friendly, and secure code.