With a general increased security focus, the question of how security fits into DevOps has gained interest. When the risk of a successful attack increases, security becomes a must. The fact is that 80 percent of the participants of Gartners survey DevSecOps: How to Seamlessly Integrate Security Into DevOps in september last year mentioned a worry for security flaws as one of the reasons they’re having problems with their agile initiative. So how can you guarantee security with DevOps?
Terms such as DevSecOps and Rugged DevOps has been coined to try to identify what’s so unique with security within DevOps. There’s also a strong belief that the processes and thinking that DevOps consists of create increased opportunities for improved security. However, all of this assumes that security becomes a part of DevOps and not a separate function. In orher words, security must be built in to your pipeline and managed continuously.
The fact is, however, that reality proves to be different. Hawlett Packard Enterprise created a report called Application Security and DevOps based on data from the HPE security team, market leading companies and individual developers, and found that only 20% of the participants perform Software Development Lifecycle (SLDC) testing. The results also showed surprisingly few (17%) that doesn’t use any technologies at all in order to protect their applications. So the question remains, how do you guarantee security with DevOps?
Automation as the most important tool
Most people know automation as a valuable tool to achieve continous integration and continuous delivery. It can, however, also be used as a way to improve security – by using the same mentality regarding code changes and security. Through working continuously and using tools for automation, you can deliver code safer and faster.
Instead of spending time on rework, bug fixes or other post work, you should work on security in the same speed as development. There is, of course, no way to completely rid errors and bugs, but by using tools such as WhiteSource or Black Duck, you can check towards known security flaws and stay a step ahead. These tools allow for automated and continous checks, creating a standard for security.
Continuous work together
Collaboration is one of the keys towards successfully doing DevOps. You need to collaborate not only in development and operations, but also make room for security. A few examples of good methods of doing so are:
- Continuously work on security policies
- Regularly do security training and education
- Include security best practices
- Make security a part of company culture
When everyone helps each other improve, it includes security. With input from topic experts, both development and operations can improve the daily work and guarantee security with DevOps. Security teams can in return work with DevOps culture and values, for example with clear organizing using Kanban boards and adapting agile principles.
Guarantee security with DevOps: DevSecOps
In order to move from DevOps to DevSecOps, everyone needs to be included and work together. It’s likely that nobody will talk about DevOps in the future and instead use terms such as DevSecOps, or similar ones. It’s impossible to see the value of continuous security work, regardless of what you choose to call it. You and your organization can improve even more if you mix classical DevOps with support from security – this is certain.
Have you started working with integrating security into DevOps? What do you do to guarantee security with DevOps? Let us know in the comments below!