Speed and security. Old-fashioned thinking contended that the two were incompatible; that high-velocity development and deployment of apps and software services invariably introduced higher levels of risk. However, it has become increasingly apparent that speed is a necessary aspect of security. The stakes are sky-high, with some estimates projecting that the annual cost of cybercrime losses and damage will reach $6 trillion by 2021. Fast-forward to the case for using DevOps and automation to bolster security. Before we proceed, everyone who knows what we mean by "DevOps" please raise your hand. About 95 percent of you? Good. Although there are obviously many complexities, the simplest way to explain it is in equation form: Development + Operations = DevOps. For organizations, employing a DevOps model means eliminating silos between your development and operations teams to accelerate your ability to deliver applications and services. With DevOps, engineers from both disciplines typically work together on a single team in a speedier process that is continuous rather than segmented or tiered. “This speed enables organizations to better serve their customers and compete more effectively in the market,” says tech behemoth Amazon. While there is widespread agreement around the benefits of DevOps (75 percent of executives in a recent survey), many enterprises are slow to make the transition (in the same survey just 20 percent described their adoption level as high). And you won’t be surprised to learn that the chief roadblock in the DevOps transformation journey is the concern we’ve already cited above—speed vs. security. Fear not... introducing DevSecOps (Development + Security + Operations = DevSecOps). Boom, problem solved! According to CSOonline.com:
“The simple premise of DevSecOps is that everyone in the software development life cycle is responsible for security, in essence bringing operations and development together with security functions. DevSecOps is about introducing security earlier in the life cycle of application development, thus minimizing vulnerabilities and bringing security closer to IT and business objectives.”
Obviously, it’s not that simple. From a technological standpoint, it’s actually quite complex. But some would argue that, here and now in the fast-changing digital age, it is actually a no-brainer, particularly once you factor in the game-changing impact of automation. Automation helps DevOps teams and DevSecOps teams ensure that security is baked in right from the start. By deploying a comprehensive automation platform (one that spans development, testing, ops and security), organizations gain visibility and control over the development life cycle along with a closed-loop pipeline for testing, reporting and solving for potential security concerns. More automation means less risk of security flaws caused by human error, and if something does go awry, automation can make the problem easier to pinpoint and fix. When confronted with a security vulnerability or breach, DevSecOps automation enables you to more quickly develop, test and deploy a software patch or update. Enhanced process governance is another key benefit of automation since it can be leveraged to ensure consistent development, testing and release practices. A robust DevSecOps toolchain that leverages the full power of automation—seamlessly collecting and organizing all data on build, test cycles, integration cycles, deployment, release processes and more—essentially creates a ready-made, easy-to-access audit trail, security log and compliance report all rolled into one. The case for DevSecOps automation is also made every day by the black-hat hackers of the world. With attack development continuing to evolve at what is often referred to these days as “the breakneck speed of technology,” the hackers are fast and agile. The people in charge of creating secure systems had better, be as well. Part of the fate of information and cyber security specialists is to always be playing catch-up. However, DevSecOps enables cyber security teams to go on the offensive with automated tools that help them shift from a more case-specific posture to deploying continuous defense mechanisms in response to the ever-evolving security landscape. Finally, a bit of prognostication to close the conversation: All indications suggest more organizations are undergoing operational transformations to embrace next-generation DevOps automation.
About the Author: Michelle Moore, Ph.D., is academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cyber security policy analyst with over two decades of private-sector and government experience as a cyber security expert. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.