You’d have to be hiding under a rock to have missed the explosion of DevOps in recent years, but with a dramatic increase in visibility and popularity, there comes more than a modicum of unsubstantiated opinion and rumor about exactly what DevOps is exactly and what benefits it might confer upon organizations that adopt it.
Information security folks so far have been at the receiving end of the DevOps toolchain, often trying to deal with the shifting ground beneath our feet using tools and techniques that were designed for the past. It’s not working, which isn’t all that surprising.
It doesn’t have to be this way, however.
If your organization is moving towards DevOps as the way work gets done, and you’re in information security, you don’t have to sit on the sidelines and wait for the coach to put you in. Gene Kim, researcher, author, and once-founder of Tripwire has quite a lot to say about the intersection of DevOps and security in his books The Phoenix Project and The DevOps Handbook. He’ll also say a fair bit of it aloud during an upcoming webinar on the topic, which I have the pleasure of co-hosting.
In preparing for this event, there was one topic that really stuck with me and resonated with the many customer conversations I’ve had. One of the key principles in DevOps involves eliminating the handoffs between groups, effectively shortening the cycle between feedback and change. In order to do that, telemetry is key.
You can easily imagine how connecting developers with direct feedback about how their product is being used by customers could dramatically improve their ability to solve customer problems. The research that Gene has conducted and published clearly demonstrates the conclusion that the DevOps processes can extend their benefits to foundational security controls, as well.
Information security suffers from the very same tax of multiple hand-offs and too many hands. The myriad data that security tools produce today is the telemetry that those responsible parties need to be more effective at reducing risk.
In other words, if we work towards the same principle of eliminating handoffs and reducing cycle time, information security can not only more effectively reduce risk but also use DevOps tools and processes instead of fighting them. Think of this as integrating security telemetry into the organization; it’s the antithesis of the ‘report and validate’ approach many organizations use today.
Imagine if you could streamline the process between vulnerability discovery and mitigation or unauthorized change detection and remediation. Today, organizations spend significant resources on these processes, but the procedures often don’t produce the desired results.
The result is not only better integration of information security objectives into everyone’s daily work but also dramatically improved security and organizational outcomes.
There’s more to say on this topic and a few examples to consider. Of course, there’s more than one way to integrate security into DevOps. In fact, there are three ways that Gene discusses in the Phoenix Project. We’ll cover them in his webinar.
If you’re looking to get a better handle on DevOps and security, this is a good opportunity to learn directly from an expert.