Rugged DevOps is a method that includes security practices as early in the continuous delivery pipeline as possible to increase cybersecurity, speed and quality of releases beyond what current DevOps practices can yield alone. (1) “Rugged “describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure and resilient software. (2)
As business increasingly relies on agile software development, the absence of matching fast-moving security methodologies in the delivery pipeline will essentially increase the risk of a security breach or a cyberattack. Security staff must be imbedded into cross functional teams to ensure a more sustainable and less risky continuous deployment value chain (continuous integration, continuous delivery and continuous testing). The bad guys have already acquired these skills and the use of automation to engage in a continuous attack on our defenses.
Security was named as the number one DevOps obstacle by 28 percent of enterprises. (3) Security needs to be engaged early and often. If the Dev organization is at a maturity level where daily builds and releases are common, come up with a suite of models that allow you to do some level of testing and can conform to the condensed cycle times. By moving away from a waterfall set of security methodologies and adopting and adapting scrum practices, security can engage earlier and more often in the development lifecycle. If you are not part of the solution people will go over or around you.
DevOps is a cultural movement. Changing the way we think and do things takes time. Culture doesn’t change until the way think changes. Think about the things that you may have in common with development and operational teams and try to build on those commonalities. We are more alike than we are different.
As with any DevOps initiative automation is key. Reliance on manual testing just doesn’t enable the kinds of delivery speeds businesses are looking for today. It doesn’t mean that some of that manual testing methodology goes away, but it may be used as a back up to the automated testing when necessary. Security teams should be thinking about ways to automatically integrate manual testing results back into the pipeline. (4)
Security must be engaged at the strategy and design stages of the lifecycle. Security concerns and perspectives have to be incorporated into requirements before any code or design work is done. This way we can ensure that available, survivable, defensible, secure, resilient software and architecture get created.
DevOps is all about security “shifting left” to find security issues as early in the development life cycle as possible. By integrating security tools into your continuous integration process, security teams can engage their highly effective skills to uncover and eliminate vulnerabilities early in the development cycle. The earlier you find an issue the cheaper and easier it is to fix, creating big wins for both the provider and the business.
For more information: http://www.itsmacademy.com/resourcecenter
(1) Forrester Research
(2) Rugged Software.com
(3, 4) Ericka Chickowski