What Happens When You Add Security to DevOps? DevSecOps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
DevOps
Commentary
1/23/2019
02:00 PM
Bill Kleyman
Bill Kleyman
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
Google+
RSS
50%
50%

What Happens When You Add Security to DevOps? DevSecOps

Implementing DevSecOps means taking your existing DevOps initiative to the next level, and getting security teams involved at the start of the Dev process.

I’ve gone head-first into the world of DevOps, and, it’s been an amazing ride. I’ve had many of my own misconceptions blown away after learning the deep culture and philosophy behind DevOps. That and surrounding myself with people who actually implement the concepts of DevOps have been absolutely enlightening as well.

If you still need a primer check out my DevOps 101 article for a bit more detail. Otherwise, just remember that DevOps isn’t just two words combined together. DevOps is all of the following:

  • A cultural shift in how processes, code, and technology are delivered
  • A philosophy around continuous development and integration with users, business, and even market dynamics
  • A practice that continuously evolves
  • A tool to help deliver services and applications at market-ready speeds
  • A process to help companies innovate at a much faster pace than what traditional (or legacy) software tools and infrastructure could offer

Today, we look at another extremely critical concept: Security as it is "injected" into the entire DevOps process. Before we go on, it’s important to note that there’s already some level of security testing and validation happening even in traditional DevOps practices. However, DevSecOps takes this concept and development operations much further.

Image: anathomy - stock.adobe.com
Image: anathomy - stock.adobe.com

“When an organization adopts true DevSecOps practices, you’ll start to see noticeable change within the code and the production applications,” stated Adam Auerbach, vice president and co-head of DevTestSecOps Practice at EPAM, in a recent interview. “Operations teams will move from service providers to real enablers. This means spending more time on critical things like automation to enable developers to have more control over standing up new environments and promoting code.”

Let’s pause here. Injecting security into DevOps can be a contextual practice. What are you developing? What’s the environment? Is it on premise or is it in the cloud? Are you dealing with sensitive data points? At a high level, you continue with your existing DevOps practice while introducing more concepts around "secure coding". This means incorporating both governance and security controls into your development operations. So, you are building around code availability, integrity, and confidence.

From there, you focus on three core areas that bring the security into the development operations process:

Code, service, and data classification. Understanding the type of data that’s being used. Classifying zones and access perimeters. Types of services being leveraged. This can include microservices and containers.

Assurance and automation. Integrating full SDLC controls and audits, continuous code and artifacts scanning, integrated and intrusive security testing. This can also include some manual code reviews.

Policy and process. Analyzing business and resiliency metrics, understanding policies and compliance (GRC), and working with architecture and coding guidelines and best practices.

Code security analysis. Leverage tools that help catch security issues early during development, identify weaknesses in code at exact line locations, testing of dependencies and services. This can also include the identification of integrated and very complex vulnerabilities.

All of that being said, many will argue that one of the most important pieces of DevSecOps is the process of automating security practices within DevOps. The idea is to maintain short and frequent development cycles, integrate security measures with minimal disruption to operations, keep up with innovative technologies like containers and microservices, and all the while foster closer collaboration between commonly isolated teams. However, as RedHat points out, this can be a tall order for any organization. All of these initiatives begin at the human level -- with the ins and outs of collaboration at your organization — but the facilitator of those human changes in a DevSecOps framework is automation.

However, you can’t get stuck on automation alone. In fact, one of the biggest mistakes when creating a DevSecOps practice is only looking at things like tools and automation to do the work for you. “DevSecOps is rooted in lean manufacturing and the theory of constraints,” states EPAM's Auerbach. “While automation will create efficiencies, most likely the biggest improvements can be made when automation is aligned to changes in organizational structure and cultural patterns. The other mistake is leaving security and performance testing out of the equation. While they are more challenging to solve, they will restrict you at some point in the process.”

This means incorporating things like penetration testing, infrastructure audits, and even development processes reviews. Many organizations will go as far as creating ‘pen teams’ analyzing how a target tolerates real attacks, how far an attacker can actually go, analyzes governance and control, and even looks at vulnerabilities within the infrastructure (VPN, WiFi connections, servers, networks, etc.).

Final thoughts and some DevSecOps best practices

As you look at your own practice, how are you involving security with your development process? As a chef in your own kitchen, it might be best to sometimes get an outside opinion. This means working with partners and organizations that are deeply involved in the DevSecOps practices field and those that can guide you in the right direction.

But, to leave you with some food for thought. Here are three things to think about when working to go from DevOps to DevSecOps:

  1. When you’re defining your own DevOps and DevSecOps practice, it’s absolutely critical to make sure that your InfoSec teams have a seat at the table. Their insight will prove valuable in designing safer and more secure applications.
  2. Ensure that security and performance are treated with the same expectations as other quality gates.
  3. “Help the teams understand how to interpret and be proactive with security and performance tuning and troubleshooting,” adds Auerbach. There needs to be a balance between user experience and the amount of security that’s injected into the DevOps process. This is where a good practice can create the right equilibrium to produce quality code, securely, while still focusing on tuning and experience.

  Bill Kleyman brings more than 15 years of experience to his role as Executive Vice President of Digital Solutions at Switch. Using the latest innovations, such as AI, machine learning, data center design, DevOps, cloud and advanced technologies, he delivers solutions ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll