DevOps is quickly evolving from the experimental phase to becoming the standard approach to application development and delivery. It breaks down the barriers between developers and IT operations, speeding up development projects. However, that speed can also create significant security risks if the IT security team is not brought into the process after DevOps releases a new product.
The recent DigiCert “2017 Inviting Security into DevOps Survey” finds a vast majority of enterprises are in fact working to integrate security into their DevOps methodologies. For them, agility means more than just speed but it’s also about providing efficiency and predictability of development outcomes. Yet, companies are discovering that Father Time and the clash of cultures present several obstacles.
DigiCert in May 2017 commissioned a survey of 300 senior management executives within IT, DevOps and Security teams. The respondents represent only organizations who have already implemented a DevOps posture across small, medium and large enterprises.
Ninety-eight percent of enterprises surveyed have made integrating their security teams into their existing DevOps methodology a priority to increase business agility and improve information security. The market has reached a tipping point, with roughly half (49%) working on doing so, and half (49%) reporting the have completed the process.
A majority of respondents (88%) say integrating security into DevOps without slowing the development process is a somewhat to extremely important step to take. They warn that failure to do so can lead to problems:
- 78% cite increased costs
- 73% cite slower app delivery
- 71% cite increased security risks
“The security team was adamant from the get-go that DevOps included security,” said one respondent who is an IT manager for a large healthcare provider. “They wanted to make sure that every angle of attack, every potential vector, every potential risk could be thought of ahead of time to minimize the potential for patient data to be exposed publicly.”
The end result is well worth the time and effort. Those who have completed this integration are much more likely to report an aggregating effect for success in both security and agility.
- 22% more likely to report they are doing well with information security
- 21% more likely to report doing well meeting app delivery deadlines
- 21% more likely to report doing well lower app risk
As you might expect, making this transition isn’t an easy or quick process. Respondents cited several challenges, including that it takes too long, security teams are resistant to making the change, and that there is no one with the requisite strong relationship skills who can break down the cultural barriers and effectively guide the process.
The integration of agility and security requires a combination of technology improvements and a cultural shift in how technical staff is aligned. The survey findings point to four best practices necessary for success:
1. Appoint a Social Leader: Identify one person who will drive cultural change by clearly defining IT, security, DevOps roles and integrating the disparate teams.
2. Bring Security to the Table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, and implement automated PKI to require signing and encrypting of everything within the network.
3. Invest in Automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis.
4. Integrate and Standardize: Implement controls on standard security processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.
Addressing a security vulnerability after an application is released grinds the development process to a halt as the security and development teams spend time and money to fix a problem. Fortunately, the DigiCert survey reveals agility and security are not mutually exclusive. Enterprises need to optimize both to succeed, and integrating security into DevOps is a critical step toward empowering a culture of continuous improvement.
DigiCert Chief Technology Officer Dan Timpson is responsible for DigiCert's technology strategy and driving development that advances PKI innovation and simplifies digital certificate management for the company’s enterprise SSL and IoT customers. Prior to joining DigiCert, Timpson managed a Security Development Lifecycle (SDL) team for Microsoft and oversaw a team at Novell that tested identity and access management systems. Timpson has a BS in Computer Science & Information Technology and an MBA from Westminster College.