DevOps approaches have become a fixture in most businesses. But integration with security operations is lagging behind.
In February, for example, we surveyed 100 senior IT decision-makers with a series of questions around DevOps, and an overwhelming majority (88%) said their businesses had either adopted this approach or plan to do so in the next couple of years.
Reading Gene Kim in his trailblazing 2012 blog, Why We Need DevOps Now, there are many reasons why they should. According to the co-author of The Phoenix Project:
“By putting DevOps patterns into practice, organizations like Etsy, Netflix, Facebook, Amazon, Twitter and Google are achieving levels of performance that were unthinkable even five years ago: tens or even hundreds of code deploys per day, while delivering world-class stability, reliability and security.”
The challenge is often one of time. DevOps teams often want to move faster than security teams are used to with legacy processes. For example, DevOps teams can’t wait the equivalent weeks it would usually take to have infrastructure provisioned and firewall rules updated. Yet, that is still the status quo within most organisations.
A separate entity
Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow the processes down and reduce efficiency. This leads to either a compromise in agility – which is so central to any DevOps philosophy – or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle.
To remedy this issue and help the IT department to effectively transition to a DevSecOps approach, training of staff throughout the IT department is essential. As is the adoption of new approaches to security testing that allows for continuous monitoring and analytics throughout the DevOps lifecycle (whether this is planning, coding, pre-production, or even decommissioning).
While the benefits of DevSecOps are clear, actually making it a reality is a complex process that can’t be completed overnight. Working out how to implement and automate application security – such as continuous monitoring and static analysis – within existing CI/CD pipelines takes time and effort. What's more, the latest approaches to security testing, such as continuous security testing, need to be understood to ensure any testing approach is keeping up with the rate of change DevOps approaches allow for.
As we have seen, the fact that a fifth of organisations doubt their capability to deliver DevSecOps makes it clear that there is a significant disconnect between DevOps capabilities and DevSecOps readiness.
- DevOps has rapidly become the de facto way of working for the vast majority of IT departments.
- But fewer than one-in-five are fully confident in their ability to integrate security into the process.
- To ensure they are not opening themselves up to attack, businesses need to embed security best practice into the entire DevOps lifecycle.
- New approaches such as continuous security testing, means development cycles can move fast and stay secure.