Skip to main content

Rugged DevOps

Rugged DevOps is a method that includes security practices as early in the continuous delivery pipeline as possible to increase cybersecurity, speed and quality of releases beyond what current DevOps practices can yield alone. (1) “Rugged “describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure and resilient software. (2)

As business increasingly relies on agile software development, the absence of matching fast-moving security methodologies in the delivery pipeline will essentially increase the risk of a security breach or a cyberattack. Security staff must be imbedded into cross functional teams to ensure a more sustainable and less risky continuous deployment value chain (continuous integration, continuous delivery and continuous testing). The bad guys have already acquired these skills and the use of automation to engage in a continuous attack on our defenses.

Security was named as the number one DevOps obstacle by 28 percent of enterprises. (3)  Security needs to be engaged early and often.  If the Dev organization is at a maturity level where daily builds and releases are common, come up with a suite of models that allow you to do some level of testing and can conform to the condensed cycle times. By moving away from a waterfall set of security methodologies and adopting and adapting scrum practices, security can engage earlier and more often in the development lifecycle.  If you are not part of the solution people will go over or around you.  

DevOps is a cultural movement.  Changing the way we think and do things takes time. Culture doesn’t change until the way think changes.  Think about the things that you may have in common with development and operational teams and try to build on those commonalities.  We are more alike than we are different.

As with any DevOps initiative automation is key.  Reliance on manual testing just doesn’t enable the kinds of delivery speeds businesses are looking for today.  It doesn’t mean that some of that manual testing methodology goes away, but it may be used as a back up to the automated testing when necessary.  Security teams should be thinking about ways to automatically integrate manual testing results back into the pipeline. (4)

Security must be engaged at the strategy and design stages of the lifecycle.  Security concerns and perspectives have to be incorporated into requirements before any code or design work is done.  This way we can ensure that available, survivable, defensible, secure, resilient software and architecture get created.

DevOps is all about securityshifting left to find security issues as early in the development life cycle as possible. By integrating security tools into your continuous integration process, security teams can engage their highly effective skills to uncover and eliminate vulnerabilities early in the development cycle. The earlier you find an issue the cheaper and easier it is to fix, creating big wins for both the provider and the business.


(1)    Forrester Research
(2)    Rugged Software.com

(3, 4) Ericka Chickowski

Comments

Popular posts from this blog

What is the difference between Process Owner, Process Manager and Process Practitioner?

I was recently asked to clarify the roles of the Process Owner, Process Manager and Process Practitioner and wanted to share this with you.

Roles and Responsibilities:
Process Owner – this individual is “Accountable” for the process. They are the goto person and represent this process across the entire organization. They will ensure that the process is clearly defined, designed and documented. They will ensure that the process has a set of Policies for governance.Example: The process owner for Incident management will ensure that all of the activities to Identify, Record, Categorize, Investigate, … all the way to closing the incident are defined and documented with clearly defined roles, responsibilities, handoffs, and deliverables. An example of a policy in could be… “All Incidents must be logged”. Policies are rules that govern the process. Process Owner ensures that all Process activities, (what to do), Procedures (details on how to perform the activity) and the policies (r…

How Does ITIL Help in the Management of the SDLC?

I was recently asked how ITIL helps in the management of the SDLC (Software Development Lifecycle).  Simply put... SDLC is a Lifecycle approach to produce the software or the "product".  ITIL is a Lifecycle approach that focuses on the "service".
I’ll start by reviewing both SDLC and ITIL Lifecycles and then summarize:
SDLC  -  The intent of an SDLC process is to help produce a product that is cost-efficient, effective and of high quality. Once an application is created, the SDLC maps the proper deployment of the software into the live environment. The SDLC methodology usually contains the following stages: Analysis (requirements and design), construction, testing, release and maintenance.  The focus here is on the Software.  Most organizations will use an Agile or Waterfall approach to implement the software through the Software Development Lifecycle.
ITIL  -  is a best practice for IT service management (ITSM) that focuses on aligning IT services with the needs …

Incidents when a Defect is Involved

Question: We currently track defects in a separate system than our ticket management system. With that said, my question is does anyone have suggestions and/or best practices on how to handle incidents when a defect is involved? Should the incident be closed since the defect is being worked on in another defect tracking system if it is noted in the incident ticket? I am considering creating an incident statuses of 'closed-unresolved' so the incident can still be reported on in our ticket management system but know it is being worked on/tracked in the defect system. With defects, it is possible that we may never work on them because they are very low priority and the impact is low to the user. However, in some cases a defect is being worked on. Should we create a problem ticket instead?
Thanks, René W.

Answer: RenĂ©. In ITIL, the activity you are describing is handled by the Problem Management process. ITIL does not use the term “defect” but it does use the term “known error” to…