Over a million developers have joined DZone.

Bringing Security Into the DevOps Fold

DZone 's Guide to

Bringing Security Into the DevOps Fold

DevSecOps preaches the fusion of DevOps and security. But how can the different speeds of these teams' deliverables be reconciled?

· Security Zone ·
Free Resource

DevOps. The name says it all. Development + Operations. By bringing these two teams together, DevOps promises speed and agility, i.e. a faster time to market for new software initiatives.

But what about security? There is no “security” in the name DevOps. And while DevOps is all about agility, security is all about safety, making sure new software is fully tested and protected against known vulnerabilities and threats. Agility and safety are not usually companions.

Perhaps that is why the security team was left out of the original DevOps team. However, that’s a mistake. When operated as two separate silos, DevOps and security teams conflict with each other's mission. The faster DevOps goes, the less secure software becomes. And, the more security inserts itself into the process, the less agile DevOps becomes.

There is a better way. By bringing security into the DevOps fold, you accomplish both mission goals: DevOps gets the speed and agility they desire, and security achieves the safety and protection from vulnerability and threats they require.

It Isn't Easy

Integrating security with DevOps presents challenges. Security, at its heart, is a complex and multi-faceted arms race. New vulnerabilities and threats pop-up daily. It is hard to stay abreast of everything and still be agile. Furthermore, security is used to being highly siloed. In fact, if we’re honest about it, security often relishes its role as "masters of the dark arts." And there are good reasons for that.

How to Integrate Security Into DevOps

Nonetheless, the benefits outweigh the challenges, so it is worth exploring just how one can successfully integrate security into DevOps. 

First of all, integrating security into DevOps means breaking ingrained processes and biases. For example, instead of security checks being the last step in the process, there must be a continual process that begins from day one of a software project's lifecycle. This is difficult as it requires automation of core security tasks.

Second, as we bring security into the DevOps fold, it is important automate common tasks to avoid delays. For example, you can automate scanning of servers to make sure they meet standards.  Another example is to automate penetration testing so insecure code is identified early.

Beyond this, security teams need to change how they work. Instead of seeing themselves as a siloed team, they'll need to "play well in the sandbox." Security needs to integrate into the DevOps team and work more as a team.

What Do We Call This? DevSecOps? 

Of course, nobody is quite sure what to call this new combination of DevOps and security. But whatever the name, it’s time for security to come into the DevOps fold, allowing organizations to combine the speed and agility of DevOps with the safety and protection of security.

devops ,security ,devsecops

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}