Over a million developers have joined DZone.

How to Apply DevOps Culture to Security

Security teams, in many ways, have been the laggards in DevOps adoption, and have yet to really include themselves into the DevOps conversation.

· DevOps Zone

Discover how to optimize your DevOps workflows with our cloud-based automated testing infrastructure, brought to you in partnership with Sauce Labs

Unless you’ve been living under a rock (or don’t work in the tech industry), you’ve probably heard the term DevOps thrown around. A mashup of “development” and “operations,” DevOps is a mindset and set of practices that focus on collaboration and communication between software developers and other IT professionals with the goal of automating both software delivery and infrastructure changes.

The four major tenets of DevOps are:

  • Culture
  • Automation
  • Measurement
  • Sharing

As this culture has proven successful and spread throughout many industries, people have tried to integrate other parts of the technical teams into the same DevOps workflows that are working so well for their organization. Security teams, in many ways, have been the laggards, and have yet to really include themselves into the DevOps conversation. Luckily, in recent years, much more focus has been placed on the security side.

Integrating security operations into your existing DevOps workflows means both applying DevOps principles to security and incorporating security into the development and operational processes. It’s how we operate at Threat Stack, and we believe it’s how all security teams should operate if they want to achieve maximum efficiency and effectiveness.

But why, you ask?

Key Benefits of a DevOps Culture

(as applied to development, operations, and security)

Benefits of DevOps
Benefits of Security-Enabled DevOps
Shorter time-to-market for software
Security doesn’t slow down time-to-market
Improved customer satisfaction
Improved customer security and peace of mind
Better product quality
Security baked into high-quality product
More reliable releases
Security woven into every release
Improved productivity and efficiency
Security doesn’t hamper productivity or efficiency
Increased ability to build the right product by quick iteration
Increased ability to build the right security functions into every product iteration

Why DevOps Practices Are Good for Security

DevOps achieves the benefits listed above by increasing the speed of feedback loops inside development and operations teams.

The problem with a DevOps culture that doesn’t have security built in is that security teams often wind up frustrated when vulnerabilities are not caught before reaching production. At the end of the day, it doesn’t matter how fast feedback loops or continuous delivery cycles are if you’re releasing products that are riddled with vulnerabilities. You may even find yourself backtracking to fix security issues, taking up more time than DevOps practices save.

So it naturally follows that security needs to be involved in the development process from the beginning. Otherwise it will get left behind. Development and operations teams can’t (and won’t) slow down to accommodate security teams, so it’s up to security teams to insert themselves into the conversation early on.

By integrating security with the continuous integration (CI) and continuous deployment (CD) pipelines, the security team is able to participate in rapid feedback loops in order to identify and fix problems before they become an issue in production.

How to Build a DevOps Culture for Security

So how, exactly, do you go about integrating security into the DevOps process? The good news is that you don’t need to make major changes to your development methods or cycles. The most important thing is to get security using the same tools and processes that your Dev and Ops teams are already using, from Kanban boards and scrums, to Configuration Management and Continuous Integration systems.

For example, security teams should integrate source code scanning and system-level vulnerability management inside the application and system build process. This way, they can better deal with security issues in real time and maintain the speed of the rest of the organization.

Here’s how it works at Threat Stack:

All teams — not just security practitioners — participate in and own various security processes.
Security scanning and compliance are built into the same system automation tools we are already using (Chef, Jenkins, etc.).
Threat Stack’s Cloud Security Platform is used to protect our systems where we constantly scan for vulnerabilities and alert on anomalous activity. Tracking our success over time.
Developers are given broader access to systems they are writing code for, working closely with operations team members to better understand how they will support the systems that run their code.

The Difference a Security-Enabled DevOps Culture Can Make

With security left out of your DevOps culture, you have two possible outcomes: either security slows down development cycles (unlikely to be allowed), or releases happen without security oversight. The latter, and more common, outcome leaves you open to security vulnerabilities, attacks, and reputation damage. Not a risk worth taking, in our opinion.

In today’s culture of continuous release, it’s not just good to move fast, it’s essential if you want to stay competitive. But you can’t move fast and sacrifice security. The good news is that having a security-minded organization makes it possible to release high-quality software on a continuous basis while ensuring that it is safe and ready for prime time, every time.

Download “The DevOps Journey - From Waterfall to Continuous Delivery” to learn learn about the importance of integrating automated testing into the DevOps workflow, brought to you in partnership with Sauce Labs.

continuous integration,development,integration,continuous,security,devops,systems

Published at DZone with permission of Pete Cheslock, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}