The SecOps Playbook: What I’ve Learned About Integrating Security Into DevOps
Security is difficult and integrating it into your DevOps workflow can be a challenge. Read on to find out how why this is so and how to overcome these obstacles.
Join the DZone community and get the full member experience.Join For Free
The Threat Stack SecOps Playbook is now available!
Why We Created a SecOps Playbook
I have experienced the transition to SecOps up close and personal. I’ve led teams in figuring out how to get security practitioners and DevOps teams in sync and in harmony. Along the way, I’ve learned a number of valuable lessons that can be extended to any team that is thinking about bringing security deeper into the DevOps process.
If you’ve been reading our blog for a while, you know that we believe in the value of bringing SecOps (aka DevSecOps, SecDevOps, etc.) into your organization to streamline the security process and make sure that every piece of code that makes it into production is as safe and secure as possible.
In fact, we believe that SecOps will save the cloud (and is currently doing so). Merging your development and operations team with your security team is the best way — the only way — to ensure that best practices are built into code before vulnerabilities become an issue.
With any shift, there are challenges to implementing SecOps. However, based on my experience, I can tell you that these challenges can be surmounted with a little strategy and an awesome tool or two (including Threat Stack).
Here are the three objections to moving toward SecOps that I hear most frequently, along with my counterpoints. And, you can also check out a more complete SecOps Playbook, full of practical tips to put you on a smooth path to SecOps success.
1. Objection: Budget
What it sounds like: we don’t have enough resources and can’t afford to get what we need.
Thanks to the large number of open-source tools that are available today, it’s possible to pull together a suite of tools that can make SecOps a reality regardless of your budget. You just need a roadmap and organizational buy-in. Buy-in requires knowing who needs to be at the table when and making sure that everyone understands why SecOps will benefit the whole organization. (We explain how to make this argument in more detail in the playbook.)
2. Objection: Talent
What it sounds like: but we don’t have enough security people as it is!
There’s no denying that we are in the midst of a major security talent crunch. There are not enough security experts on the market and it’s hard to find candidates who are skilled in the latest tools and technologies. Even when teams manage to hire good security people, the ones that can code often get stolen by development teams.
The good news is that you can make security happen whether you have a full security operations center (SOC) or no infosec employees at all. In a modern organization, security should not just be the responsibility of analysts or even SecOps teams; it should be a team-wide, top-to-bottom effort. Keep in mind, the better your tools and processes, the fewer experts you’ll need.
3. Objection: Tools
What it sounds like: there aren’t any tools on the market that work for SecOps teams.
People often say they don’t have the tools that they need to make SecOps happen. While that was a valid complaint historically, these days it doesn’t stand up as well. Between free and open-source options and comprehensive cloud security solutions like Threat Stack, robust tools are available to meet nearly every SecOps need. Moreover, many of the tools currently being used by DevOps can also be used to ensure security; it’s simply a matter of picking the right ones and training your team in how to use them to their highest potential.
The Reality: Security Is People
Once you have an adequate budget, trained talent, and appropriate tools, getting SecOps off the ground requires a shift in your organization’s culture.
DevOps itself requires a pretty big cultural shift. If you’ve been on a team that has made the transition or transferred into an organization that is DevOps-oriented from one that was not, you’ve probably seen the differences and experienced the growing pains firsthand.
SecOps requires a cultural shift all its own. Once an organization has shifted its mindset to focus on integrated tools and workflows for development and operations, it’s time to pull security in. With the right approach and toolset, it can be easier than you think.
Get the Roadmap
To help you address the challenges of budget, talent, tools, and culture, the Threat Stack experts have put together a brand-new playbook all about the practical aspects of implementing SecOps. In it, we cover:
- The history of DevOps and SecOps.
- Who should implement SecOps and why.
- The six practical steps you need to take to get going with SecOps.
- The KPIs and success metrics you should care about.
If your organization is looking to bring security into the DevOps equation to release secure code without sacrificing speed, we believe this playbook will help you reach that goal.
Published at DZone with permission of Pete Cheslock. See the original article here.
Opinions expressed by DZone contributors are their own.