DevOps is the process by which developers and IT operations work together to speed up development and production at unprecedented levels, pushing sometimes thousands of updates to production in a single day. Non high-performing shops are doing it in weeks, months, or even quarters, explained Gene Kim (@RealGeneKim), author of “The Phoenix Project” and a huge proponent of DevOps production environments.
Delivering that much actionable code to your users is an enormous business advantage. It’s a complete game changer. It’s an incredible way for IT to deliver true business value, said Josh Corman (@JoshCorman), CTO of Sonatype.
With both Corman and Kim recognizing the value of DevOps, they also realize it’s an opportunity for security people to get in on the business success of DevOps. “Information security can no longer be in the way,” said Kim. “They can’t wait six weeks for us to do a security review of code.”
Security has to adapt or they will simply fail, said Corman. “Move us from this pre-ordained failure – this downward spiral where we get more and more insecure, technical debt keeps building up – and actually be a part of the team that’s helping the organization win,” said Kim.
Luckily, said Corman, DevOps drives the behaviors and patterns infosec people want, such as automation, instrumentation, orchestration, hardening, and driving down complexity. Security needs to be a loving member of developers and operations.
For those organizations that haven’t yet started DevOps, Kim agrees it’s not something that comes easily.
“It’ll be the most fun journey that they’ll ever be on, where they’re part of a team where our skills and contributions are valued,” said Kim. “It’s great to be a team. But there’s nothing better than being part of a winning team.”
- The Convergence of DevOps and Security
- The Phoenix Project: Make business, security, and ops work together
- The Security Implications of Agile Development
- How Agile Software Development Produces Positive Outcomes
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock