As business
increasingly relies on agile software development, the absence of matching
fast-moving security methodologies in the delivery pipeline will essentially
increase the risk of a security breach or a cyberattack. Security staff must be
imbedded into cross functional teams to ensure a more sustainable and less
risky continuous deployment value chain (continuous integration, continuous
delivery and continuous testing). The bad guys have already acquired these
skills and the use of automation to engage in a continuous attack on our
defenses.
Security was named as
the number one DevOps obstacle by 28 percent of enterprises. (3) Security needs to be engaged early and
often. If the Dev organization is at a maturity
level where daily builds and releases are common, come up with a suite of models
that allow you to do some level of testing and can conform to the condensed
cycle times. By moving away from a waterfall set of security methodologies and
adopting and adapting scrum practices, security can engage earlier and more
often in the development lifecycle. If
you are not part of the solution people will go over or around you.
DevOps is a cultural
movement. Changing the way we think and
do things takes time. Culture doesn’t change until the way think changes. Think about the things that you may have in
common with development and operational teams and try to build on those
commonalities. We are more alike than we
are different.
As with any DevOps
initiative automation is key. Reliance
on manual testing just doesn’t enable the kinds of delivery speeds businesses
are looking for today. It doesn’t mean
that some of that manual testing methodology goes away, but it may be used as a
back up to the automated testing when necessary. Security teams should be thinking about ways
to automatically integrate manual testing results back into the pipeline. (4)
Security must be
engaged at the strategy and design stages of the lifecycle. Security concerns and perspectives have to be
incorporated into requirements before any code or design work is done. This way we can ensure that available, survivable, defensible, secure,
resilient software and architecture get created.
DevOps is all about security “shifting
left” to find security
issues as early in the development life cycle as possible. By integrating
security tools into your continuous integration process, security teams can
engage their highly effective skills to uncover and eliminate vulnerabilities
early in the development cycle. The earlier you find an issue the cheaper and
easier it is to fix, creating big wins for both the provider and the business.
For more information: WhatIs? DevOps research paper
(2) Rugged Software.com
(3, 4) Ericka Chickowski
