Skip to main content

Rugged DevOps

Rugged DevOps is a method that includes security practices as early in the continuous delivery pipeline as possible to increase cybersecurity, speed and quality of releases beyond what current DevOps practices can yield alone. (1) “Rugged “describes software development organizations which have a culture of rapidly evolving their ability to create available, survivable, defensible, secure and resilient software. (2)

As business increasingly relies on agile software development, the absence of matching fast-moving security methodologies in the delivery pipeline will essentially increase the risk of a security breach or a cyberattack. Security staff must be imbedded into cross functional teams to ensure a more sustainable and less risky continuous deployment value chain (continuous integration, continuous delivery and continuous testing). The bad guys have already acquired these skills and the use of automation to engage in a continuous attack on our defenses.

Security was named as the number one DevOps obstacle by 28 percent of enterprises. (3)  Security needs to be engaged early and often.  If the Dev organization is at a maturity level where daily builds and releases are common, come up with a suite of models that allow you to do some level of testing and can conform to the condensed cycle times. By moving away from a waterfall set of security methodologies and adopting and adapting scrum practices, security can engage earlier and more often in the development lifecycle.  If you are not part of the solution people will go over or around you.  

DevOps is a cultural movement.  Changing the way we think and do things takes time. Culture doesn’t change until the way think changes.  Think about the things that you may have in common with development and operational teams and try to build on those commonalities.  We are more alike than we are different.

As with any DevOps initiative automation is key.  Reliance on manual testing just doesn’t enable the kinds of delivery speeds businesses are looking for today.  It doesn’t mean that some of that manual testing methodology goes away, but it may be used as a back up to the automated testing when necessary.  Security teams should be thinking about ways to automatically integrate manual testing results back into the pipeline. (4)

Security must be engaged at the strategy and design stages of the lifecycle.  Security concerns and perspectives have to be incorporated into requirements before any code or design work is done.  This way we can ensure that available, survivable, defensible, secure, resilient software and architecture get created.

DevOps is all about securityshifting left to find security issues as early in the development life cycle as possible. By integrating security tools into your continuous integration process, security teams can engage their highly effective skills to uncover and eliminate vulnerabilities early in the development cycle. The earlier you find an issue the cheaper and easier it is to fix, creating big wins for both the provider and the business.

(1)    Forrester Research
(2)    Rugged

(3, 4) Ericka Chickowski


Popular posts from this blog

What is the difference between Process Owner, Process Manager and Process Practitioner?

I was recently asked to clarify the roles of the Process Owner, Process Manager and Process Practitioner and wanted to share this with you. Roles and Responsibilities: Process Owner – this individual is “Accountable” for the process. They are the goto person and represent this process across the entire organization. They will ensure that the process is clearly defined, designed and documented. They will ensure that the process has a set of Policies for governance. Example: The process owner for Incident management will ensure that all of the activities to Identify, Record, Categorize, Investigate, … all the way to closing the incident are defined and documented with clearly defined roles, responsibilities, handoffs, and deliverables.  An example of a policy in could be… “All Incidents must be logged”. Policies are rules that govern the process. Process Owner ensures that all Process activities, (what to do), Procedures (details on how to perform the activity) and the

Four Service Characteristics

Recently I came across several articles by researchers and experts that laid out definitions and characteristics of services. ITIL provides us with a definition that can help drive the creation of value-laden services: A means of delivering value to customers by facilitating outcomes customers want to achieve without the ownership of specific costs and risks. An area that ITIL is not so clear is in terms of service characteristics. Several researchers and experts put forth that services have four basic characteristics (IHIP): ·          Intangibility—Services are the results of actions not things. They have no physical presence and represent a logical set of elements. One way to think of service is “work done for others.” ·          Heterogeneity—Also known as “variability”; services are unique items because of the mechanisms used to deliver services-that is people. Because the people element adds variability, the service is variable. This holds true especially for th

How Does ITIL Help in the Management of the SDLC?

I was recently asked how ITIL helps in the management of the SDLC (Software Development Lifecycle).  Simply put... SDLC is a Lifecycle approach to produce the software or the "product".  ITIL is a Lifecycle approach that focuses on the "service". I’ll start by reviewing both SDLC and ITIL Lifecycles and then summarize: SDLC  -  The intent of an SDLC process is to help produce a product that is cost-efficient, effective and of high quality. Once an application is created, the SDLC maps the proper deployment of the software into the live environment. The SDLC methodology usually contains the following stages: Analysis (requirements and design), construction, testing, release and maintenance.  The focus here is on the Software.  Most organizations will use an Agile or Waterfall approach to implement the software through the Software Development Lifecycle. ITIL  -  is a best practice for IT service management (ITSM) that focuses on aligning IT services with