Investing in SecOps doesn’t just mean hiring folks who know how to blend together software development, IT operations, and security skill sets. It also doesn’t just mean telling your DevOps team to run secure or scolding your security team into moving fast enough to keep up with continuous deployment.
Truly committing to SecOps means investing in tools that can do double (or triple) duty — helping you to not only release code continuously but to ensure that everything from your back-end infrastructure to your customer-facing applications is 100% secure. It means investing in tools that make meeting both DevOps and security best practices simple and straightforward.
As DevOps expands to include more security functions and security evolves to be more Agile, it’s never been more important (or economical) to be able to use operational tools for security and security tools for operations. DevOps teams want software that can integrate critical functions of security, like alerting, directly into their current processes. Security teams want tools that let them seamlessly interact with DevOps.
Here’s what that should look like.
How Security Can Use DevOps Tools
Interestingly, we are seeing security folks adopt DevOps tools a lot faster than the inverse today. In part, this may be because DevOps has gone mainstream (and there’s less of a talent crunch there than in security). DevOps tools tend to be relatively easy to use and learn. Beyond that, there’s the simple fact that security teams are expected to keep up with the pace of DevOps. So in some ways, they don’t really have a choice about getting on board.
Regardless of the reason, security teams are starting to really embrace DevOps concepts and tools like configuration management and immutable infrastructure.
So how are security teams using DevOps tools today?
Here are some examples of common DevOps tools that security teams are currently putting to use:
- Chef can be used to automate security testing.
- Puppet can be used to enforce security policies and prove compliance.
- Ansible can be used to define and automate best practices like setting firewall rules, locking down users and groups, or applying custom security policies.
- SaltStack can be used for orchestration and automation of security practices.
Moreover, with a continuous security monitoring platform like Threat Stack Cloud Security Platform®, it’s possible to combine many of these DevOps tools and, through the power of integrations, use them to further your security goals as an organization. That means continuous release cycles can proceed without hindrance while security teams accomplish their goals at the same time.
How DevOps Can Use Security Tools
Whether your organization is too small for a dedicated security team or you’ve adopted a security-is-everyone's-job mindset, chances are your DevOps teams are increasingly responsible for security. To ensure that it’s done right, DevOps teams need tools that integrate security alerting directly into their existing workflows — so teams can respond quickly and with relevant context about what occurred.
What a lot of DevOps teams are starting to realize is that security tools can actually make the Ops side of their jobs easier too. The increased visibility offered by security tools can help with debugging, file integrity monitoring, installation monitoring, and more. Security tools can help DevOps teams answer more of those tricky who, what, where, when, and why questions with ease.
For example, let’s say you’re running a production environment and something goes wrong. Configuration management isn’t working and it looks like someone turned off Chef. Your DevOps team could head over to Slack and ask the team, “Hey, who did this?” But depending on your organizational culture, someone may or may not ‘fess up. If they don’t, you better hope your DevOps team is using security tools, because it’s the only way they’ll be able to solve the mystery.
In other words, security tools like Threat Stack can provide DevOps with clear visibility into what’s going on throughout your infrastructure (in the cloud and on-prem). That means you can run faster and with the peace of mind that nothing will happen without your knowledge.
The reality is that your DevOps teams will probably not log into a security tool every day. That’s okay. Security tools are often built for folks whose primary role is not security. That’s all the more reason to pick security tools that blend seamlessly with DevOps workflows. DevOps teams need to be able to receive notifications wherever they are — whether that means a Slack alert or a PagerDuty ping.
Use KPIs to Make Security a Priority
We’ve written before about the ingredients of a successful SecOps implementation. We also put together an entire playbook on bringing SecOps to your organization. We’re pretty passionate about the value of getting security and DevOps into alignment with one another.
And, as you can probably tell, we think it’s great when DevOps tools and teams integrate seamlessly with security tools and teams. That said, the only way we’ll ever get to the promised land of a well-oiled SecOps machine is if DevOps teams begin to be measured based on how secure things are. Adding security KPIs to all teams — especially DevOps — is one of the keys to making sure that everyone stays focused on security as a priority.