DevOps Exposed: because we all need to move fast and stay secure

June 4, 2019 Claranet Limited

DevOps approaches have become a fixture in most businesses. But integration with security operations is lagging behind.

In February, for example, we surveyed 100 senior IT decision-makers with a series of questions around DevOps, and an overwhelming majority (88%) said their businesses had either adopted this approach or plan to do so in the next couple of years.

Reading Gene Kim in his trailblazing 2012 blog, Why We Need DevOps Now, there are many reasons why they should. According to the co-author of The Phoenix Project:

“By putting DevOps patterns into practice, organizations like Etsy, Netflix, Facebook, Amazon, Twitter and Google are achieving levels of performance that were unthinkable even five years ago: tens or even hundreds of code deploys per day, while delivering world-class stability, reliability and security.”

So far so good, but his claim that DevOps inevitably leads to improved security made us think twice. In fact, when we asked our survey audience about this fewer than one-in-five (19%) said they were fully confident in their ability to integrate security (commonly known as DevSecOps) into the process.

When it comes to swing votes, 88% falling to 19% is a flashing warning sign. Moving fast with DevOps might be a real boost for business agility, but introducing potential data security risks in the process cannot be ignored.

How have we got to this point?

Traditionally, many businesses have viewed security as something that is administered separately to the development lifecycle, rather than a discipline that should be fully incorporated from end-to-end.

The challenge is often one of time. DevOps teams often want to move faster than security teams are used to with legacy processes. For example, DevOps teams can’t wait the equivalent weeks it would usually take to have infrastructure provisioned and firewall rules updated. Yet, that is still the status quo within most organisations.

A separate entity
Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow the processes down and reduce efficiency. This leads to either a compromise in agility – which is so central to any DevOps philosophy – or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle.

To remedy this issue and help the IT department to effectively transition to a DevSecOps approach, training of staff throughout the IT department is essential. As is the adoption of new approaches to security testing that allows for continuous monitoring and analytics throughout the DevOps lifecycle (whether this is planning, coding, pre-production, or even decommissioning).

Security baked in
While the benefits of DevSecOps are clear, actually making it a reality is a complex process that can’t be completed overnight. Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort. What's more, the latest approaches to security testing, such as continuous security testing, need to be understood to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for.

This guidance should be tailored to everyone involved in the DevSecOps process. Development teams need to be trained in order to heighten their security awareness and figure out how they can work with their security-focused colleagues. Conversely, security teams will no-doubt benefit from learning how their role fits within the wider DevOps ecosystem so that they have more of an appreciation of their colleagues’ ongoing responsibilities. If these formerly disparate components can be brought together, an effective DevSecOps philosophy will follow as a matter of course.

Restoring the balance
As we have seen, the fact that a fifth of organisations doubt their capability to deliver DevSecOps makes it clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness.

It is true that agility lies at the heart of any modern organisation wanting to compete on a global stage. DevOps teams understandably don’t want to forfeit this hard-fought agility. However, with cybersecurity threats and regulations on the rise organisations need to strike the right balance between agility and security.

Key takeaways:

DevOps has rapidly become the de facto way of working for the vast majority of IT departments.

But fewer than one-in-five are fully confident in their ability to integrate security into the process.

To ensure they are not opening themselves up to attack, businesses need to embed security best practice into the entire DevOps lifecycle.

New approaches such as continuous security testing, means development cycles can move fast and stay secure.

No Previous Articles

Next Video

New thinking around DevSecOps

Catch up with delegates at IP Expo last month to gauge awareness and understanding around this new way of w...

Get in touch

Return to Home

DevOps Exposed: because we all need to move fast and stay secure

Next Video

Other content in this Stream

Catch up with delegates at IP Expo last month to gauge awareness and understanding around this new way of working.

The key word for DevSecOps is continuous, with checks at all stages: planning, coding, pre-production, and even decommissioning. It all makes for a very different culture of collaboration.

DevSecOps requires a cultural change which promotes the “secure by default” culture and is the only way to handle “security at scale”.

For many businesses, effective and responsive IT is now about pulling different specialist teams together…and that requires strong leadership. In this issue of DRIVEN Update, we explore the issues.

Whether implementing a Cloud strategy for the first time or moving more workloads into the Cloud, having the proper expectations is key.

Here are 12 key issues encountered by Cloud adopters, and how to overcome them.

You understand your applications, you've got the team in place to handle the change in internal operations and governance. So what's next?

In this short video, hosted by Claranet's cloud experts Stephen Old and Tom Marsh, we help you by summarising where you start if you're in an organisation looking to move to or harness the cloud.

In today’s “always on”, 24/7 economy, if the Network fails, the business fails. So why do so many companies only regard this essential asset as “a necessary cost”. Time to reassess?

Networks can be more flexible, robust, and secure when you ditch the hardware. Take a look at this short question-and-answer guide to get the low-down on SD-WAN.

Significant improvement in Wi-Fi means the technology is now a critical component for many businesses. Take a look at some of the latest developments.

Understanding and addressing the challenges of the always-on economy.

How Digital Leaders operate in the 24x7 marketplace (plus, nine points to set your IT on fire in 2019).

Right-sizing your tech is essential to ensuring you have exactly the right amount of resources available at all times - and ensuring you don’t overspend.

The key to bridging the digital divide is data – or more specifically how you use data. Find out why businesses are failing to deliver on customer expectations.

As Microsoft continues to develop and improve Office 365, a wide suite of tools have emerged in recent years. But one area stands out as their current priority, and it's all about team collaboration.

Deciding which identity management model you are going to adopt - Claranet - Understanding identity management options in Office 365

As with the roll out of any new system, training for Office 365 is essential for users.

With 170 subscriptions available with Office 365, how can you be sure your organisation has taken out the right mix?

We can’t promise you a platinum record, but we can guarantee a platinum Microsoft Office 365 experience.