The Integration of DevOps and Cybersecurity: Maximizing Risk Management

Glitches. Security Flaws. Slowdowns. These are all expensive to patch up and come with negative press, which is hard to recover from. How does the DevOps team manage these risks? Especially when the release is time sensitive?

Even those of us who have fully integrated development and operations into DevOps still remember when the teams were in two separate departments. This led to costly challenges that came to light after market. Problems that could have been prevented if development and operations had been centralized.

For those that employ DevOps, it’s hard to imagine development and operations as separate departments. DevOps has made monumental strides over the last five years, but there is still one more step to take to maximize risk management: fully integrate cyber security into DevOps. Both the DevOps and security personnel need to come to terms with the others’ primary objectives, as DevOps wants to rapidly develop and deploy software, while Cyber Security personnel want to mitigate and manage risk by thoroughly checking for any potential breachable point in the software.

While cyber security is currently integrated into DevOps, I think that increasing communication between the two departments will exponentially increase risk management and deal with issues that arise.

Recently, the industry has made a point in bringing DevOps and cyber security professionals together in order to jumpstart the integration process.

At the Symantec Government Symposium in August, A DevOps programmer joked that “We don’t need to have all this security risk management stuff, we don’t need to have cybersecurity, we need a solution now.”

David Blankenhorn, CTO of DLT Solutions, echoed the sentiment. “The reality of the DevOps environment is not that you’re doing your testing, your security…it’s that you’re doing it on a much more micro scale.”

This past week at AppSecUSA 2016, the annual gathering of the Open Web Application Security Project, white-hat hacker Josh Corman argued that’s it’s on the security professionals to adjust to centralized environment of the DevOps teams. “The DevOps tribe is willing to give us a big gushy hug…stop resisting empathy that comes with teamwork.”

Corman reiterated that he believes the root of the disconnect is a mutual misunderstanding. “[Cyber Security Professionals] call it mitigation and patching; they [DevOps] call it unscheduled critical work.”

Corman believes that the only way for DevOps to improve efficiency is to increase security and risk management. DevOps is realizing it too.

Brian A Mchenry Sr, a Sr. Security Solutions Architect at F5 Networks, discussed the advantages of the convergence of the DevOps and Cyber Security worlds in order to increase the ability to minimize and manage risks. “Embracing SecDevOps as a component of a larger DevOps culture and philosophy enables us to seek out tools and skills that would leverage existing API opportunities and drive decisions toward a more fully-integrated approach to SDN. These new skills and tools may even be an extension of existing practices…SecDevOps would help automate and orchestrate any needed changes in the security service chains.”

DevOps does currently integrate risk management and security measures into its development and deployment philosophy. Security has always and will always be an integral part of the software product life cycle. However, there are more solutions to be discovered that will result from the coming together of the worlds of Cyber Security and DevOps.

The transition into DevSecOps will open the door for a more dynamic and secure way of managing infrastructure and automated deployment. As we work towards maximized risk management and prevention, flexibility, speed, time to market, AND security will be equally prioritized.