Integrating Security into DevOps Takes Care - InformationWeek
07:00 AM
Dan Timpson, CTO at DigiCert
Dan Timpson, CTO at DigiCert

Integrating Security into DevOps Takes Care

It makes sense to involve IT security with DevOps, but the integration isn't as easy as it sounds.

DevOps is quickly evolving from the experimental phase to becoming the standard approach to application development and delivery. It breaks down the barriers between developers and IT operations, speeding up development projects. However, that speed can also create significant security risks if the IT security team is not brought into the process after DevOps releases a new product.

The recent DigiCert “2017 Inviting Security into DevOps Survey” finds a vast majority of enterprises are in fact working to integrate security into their DevOps methodologies. For them, agility means more than just speed but it’s also about providing efficiency and predictability of development outcomes. Yet, companies are discovering that Father Time and the clash of cultures present several obstacles.

DigiCert in May 2017 commissioned a survey of 300 senior management executives within IT, DevOps and Security teams. The respondents represent only organizations who have already implemented a DevOps posture across small, medium and large enterprises. 

Ninety-eight percent of enterprises surveyed have made integrating their security teams into their existing DevOps methodology a priority to increase business agility and improve information security. The market has reached a tipping point, with roughly half (49%) working on doing so, and half (49%) reporting the have completed the process.

A majority of respondents (88%) say integrating security into DevOps without slowing the development process is a somewhat to extremely important step to take. They warn that failure to do so can lead to problems:

  • 78% cite increased costs
  • 73% cite slower app delivery
  • 71% cite increased security risks

“The security team was adamant from the get-go that DevOps included security,” said one respondent who is an IT manager for a large healthcare provider. “They wanted to make sure that every angle of attack, every potential vector, every potential risk could be thought of ahead of time to minimize the potential for patient data to be exposed publicly.”

The end result is well worth the time and effort. Those who have completed this integration are much more likely to report an aggregating effect for success in both security and agility.

  • 22% more likely to report they are doing well with information security
  • 21% more likely to report doing well meeting app delivery deadlines
  • 21% more likely to report doing well lower app risk

As you might expect, making this transition isn’t an easy or quick process. Respondents cited several challenges, including that it takes too long, security teams are resistant to making the change, and that there is no one with the requisite strong relationship skills who can break down the cultural barriers and effectively guide the process.

The integration of agility and security requires a combination of technology improvements and a cultural shift in how technical staff is aligned. The survey findings point to four best practices necessary for success:

1. Appoint a Social Leader: Identify one person who will drive cultural change by clearly defining IT, security, DevOps roles and integrating the disparate teams.

2. Bring Security to the Table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, and implement automated PKI to require signing and encrypting of everything within the network.

3. Invest in Automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis.

4. Integrate and Standardize: Implement controls on standard security processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.

Addressing a security vulnerability after an application is released grinds the development process to a halt as the security and development teams spend time and money to fix a problem. Fortunately, the DigiCert survey reveals agility and security are not mutually exclusive. Enterprises need to optimize both to succeed, and integrating security into DevOps is a critical step toward empowering a culture of continuous improvement.

Dan Timpson, Digicert
Dan Timpson, Digicert

DigiCert Chief Technology Officer Dan Timpson is responsible for DigiCert's technology strategy and driving development that advances PKI innovation and simplifies digital certificate management for the company’s enterprise SSL and IoT customers. Prior to joining DigiCert, Timpson managed a Security Development Lifecycle (SDL) team for Microsoft and oversaw a team at Novell that tested identity and access management systems. Timpson has a BS in Computer Science & Information Technology and an MBA from Westminster College.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
A Data-Centric Approach to the US Census
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  10/12/2018
10 Top Strategic Predictions for 2019
Jessica Davis, Senior Editor, Enterprise Apps,  10/17/2018
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Register for InformationWeek Newsletters
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll