In today’s tech and data world, the risk around security is no longer focused on tills, commercial surveillance systems, or locks. Security systems are more focused on data breaches and network security. And as the speed at which DevOps teams are releasing code increases, so comes the increase in security risks to end users.
Rigorous security review phases are eliminated, bypassing important steps to secure data and fix bugs. Rather than wait until after releasing each new update or product to bolt security controls on top, integrating security into the delivery cycle can aid DevOps to do a better job of eradicating gaps and loopholes in the code long before production.
This will lead to lower development costs and faster, more predictable releases. Companies that have begun to integrate security into their DevOps are already seeing a 50 percent decrease in the time spent fixing security issues, according to Puppet’s State of DevOps report.
High-performing organizations have merged security testing and secure coding practices into the organization and SDLC. If you want to keep pace with them, the only way to is to join the integration. The key to merging can come in many different forms, steps, or processes depending upon where your organization is already at. But for most, the key to merging DevOps with security is to it adopt the DevOps culture more than the tools; it’s difficult to enforce slow security processes when a larger majority of the company is moving at a much faster pace.
To move at DevOps speeds, an organization much integrate security testing and bug tracking early on. One of the biggest steps to merging DevOps is automation. Automating security testing is a must – manual configurations aren’t scalable, and secure code reviews just can’t be done 20 to 200 times a day. According to the DevOps dictionary, automation “is used not just to save time, but also prevent defects, create consistency, and enable self-service.”
As security engineers begin working more with developers, they can help to pinpoint problems from the start. They can ensure that data transport is encrypted, integrate automate security checks, and educate team members on the importance of incorporating security into each job role. Adoption of security tech has begun to skyrocket with the increased need for DevOps security, and security engineers will need to investigate DevOps and Cloud security tools.
SAS tools and DAS tools along with penetration vulnerability testers can help test codes at different times in the process. In fact, adopting certain open source tools can help build a SecOps team without breaking your budget. Through adding security into the software development lifecycle, your security will no longer slow down the process.
Another component of the DevOps culture that can make security integration difficult is its spirit of flexibility and quick collaboration. Self-organization is important in DevOps, but it can breed an environment where dozens of different tools are used to manage configuration, deployment and orchestration. By providing and enforcing guidelines for tool selection, you can eliminate risk for monitoring and visibility while also creating standardization around security controls and access.
Unfortunately, most traditional tools don’t alight with other tools used in the DevOps process. Rather than stop using these tools, developers will need to move away from the traditional, familiar tools and start to use open-source tools to help the merge into a DevSecOps. After the focus has shifted to integrated tools and workflows, security for DevOps can be more easily fostered.
As the adoption of the DevOps culture gets underway, security engineers will need to abandon manual gating processes that require vast amounts of human interaction. These processes can introduce more friction to the business flow rather than help. Security teams will also need to find ways to work better with developers rather than writing them off thinking they aren’t interested in security.
The two teams will need to work to become better partners, which can be accomplished by embedding security cheerleaders into DevOps teams to advocate for security. Embedding security techs into the developers teams can also help them better understand the development process with its unique challenges of securing code.
Another step that can help with the merge is to get buy-in from security teams. Unlike developers, security engineers are incentivized to monitor, control, and reduce risk. On the other hand, developers are incentivized to go faster. And faster, and faster.
Finding a balance between the two can be difficult, but not impossible. Managers and developers will need to work collaboratively with security teams and vice versa. Continual education on new services and tools available can help both teams to manage risk and deliver better security and products than ever before.
If you’re already using DevOps tools, I hope this gave you some ideas of how Tripwire can work with your tools and process.
About the Author: Rick Delgado is a freelancer tech writer and commentator. He enjoys writing about new technologies and trends, and how they can help us. Rick occasionally writes for several tech companies and industry publications.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.