Achieving Powerful Security for DevOps With Seamless Automation
Bringing automation to security allows it to integrate with DevOps, enabling DevSecOps with automated security testing and configuration.
Join the DZone community and get the full member experience.Join For Free
Agility when developing, deploying, and updating applications is absolutely critical in today’s fast-paced business environments. This is one of the main reasons we’re seeing an increased adoption of infrastructure as code (IaC), which allows much faster construction/destruction of development environments. At the same time, the challenges that organizations are facing from a workforce and application environment that’s more distributed are creating the need to update security practices that better suit the agility of the application development lifecycle.
Security: Black Sheep of DevOps
Today there are some fantastic tools available for enabling DevOps processes such as Chef, Puppet, and Ansible. However, for many DevOps teams, security remains a largely manual process. Security testing and remediation can be one of the most time-consuming pieces of application development, but also one of the most important to ensure that customers, partners, and employees aren’t Leaving their data vulnerable.
Traditional security testing methods are often performed after the applications are pushed to production. And since fixes are manual, if critical vulnerabilities arise, security teams must stop what they are doing (sometimes sleeping) and fix it. Because of this, security is perceived as the black sheep of DevOps, behind the times, and often accused of slowing the pace of development and halting the ability to fully automate deployments.
Inviting Security to the Party: DevSecOps
Now we’re in a place where many organizations are working to integrate security directly into the development process (DevSecOps). This is primarily done by removing manual security audits post-production. In order to achieve this, application development teams must be able to deploy security from within the DevOps tools they already use. When organizations instill a new culture of collaboration with security and development, software flaws can be discovered much faster and fixed incredibly easier. According to Puppet’s 2017 State of DevOps Report on security and quality:
“High-performing organizations spend 21 percent less time on unplanned work and rework and 44 percent more time on new work. Last year, we also found that high performers spend 50 percent less time remediating security issues than low performers. We were able to validate that again this year. These results point to the need to involve security and quality teams in the development process early and often.”
Automate Security Testing and Configuration
There are now effective security tools in the market that enable organizations to remove cumbersome manual testing and configuration. Automated security testing should also be integrated into the CI/CD chain, adhering to the right set of planned policies that appeases standard security requirements. Ultimately, ensuring that your security tools support and integrate with configuration management software offerings like Puppet and Ansible could save you a lot of time down the road.
With automated testing and configuration incorporated into the overall CI/CD chain, security fixes become dependable and simple to execute. Additionally, vulnerabilities can be fixed faster and configured to schedule automatic monitoring, which ensures that any new changes to applications do not open up past or new vulnerabilities. Patching vulnerabilities can also be done virtually by automatically setting up rules on a web application firewall.
Incorporating automated security practices can provide many benefits, and these practices will only continue to gain momentum. With the rise of cybercrime and the clear risk of losing data, compromising customers, downtime, being held ransom—development organizations must adopt new methods like automated security to prevent being a victim. It begins with security meeting DevOps teams on day one of a project—and staying close from that point on.
Opinions expressed by DZone contributors are their own.