Development, operations, and security are fundamentally intertwined. A well-designed, developed and managed system is the foundation of a secure system. As per the RightScale survey, there was a 21% companywide adoption of DevOps in 2016, necessitated by Rapid Time-to-Market, innovation speed and competitive pressures.
DevOps must evolve to a new vision of DevSecOps that balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications, and services.
Why security in the DevOps approach is needed?
The rapid adoption of public cloud infrastructure and business agility is enabling new levels of cost efficiency, business agility and development capability for organizations of all sizes. It has shifted the focus away from the traditional perception of security.
DevSecOps is the current trend, where rather than apply security to the application towards the end, it is implemented in all aspect of the development process right from conception to implementation, deployment, and maintenance.
SecDevOps or DevSecOps is about using automation to tackle security-related problems including composition analysis, configuration management, selecting approved images/containers, use of immutable servers, and other techniques to address security challenges facing operations teams. It also helps to eliminate certain class of attacks.
DevSecOps is a combination of Compliance Operation, Security Engineering, Security Science, and Security Operations. It is designed to allow practitioners to provide value to business partners by focusing on solving security complexity with a customer back mindset.
Organizations can build their business strategy around DevSecOps to achieve close collaboration of various departments leading to a faster, cheaper, reliable customer service.
DevSecOps as a Business Priority
Adding security to DevOps, turns out to be a people and process problem more than a technology problem. For many organizations, these teams work in separate areas that don’t even have a common factor between them.
The manifesto of the CIO imperative in the DevSecOps is to collaborate with the diverse teams, focus on the risk and security of the organization.
Enabling a successful implementation of the DevSecOps means directing IT towards focusing on risks rather than security, which helps to better integrate the business perspective into the process. Because, if you start with security, the focus is on what tools are needed to get the ultimate security.
By focusing on risk, CIOs will help the businesses understand how IT can contribute to breaking into a new market or experimenting with a new type of analytic, as well as how IT can minimize the potential dangers of doing so.
SecDevOps (Securing DevOps)
The scenario here is an organization embarking on a DevOps and agile way of working adoption journey. There is concern about security and advise on how to embed security into the DevOps style of operation. This implies embedding and ensuring “secure by design” discipline in the software delivery methodology using techniques such as automated security review of code, automated application security testing, educating and empowering developers to use secure design patterns etc.
DevSecOps (Taking DevOps approach to Security Operations)
The scenario in this case is a security operations team considering adopting a DevOps style of delivering security services. This is all about conceptualizing, developing and deploying a series of minimum viable products on security programs.
For e.g. In implementing security log monitoring, rather than have very large high value program with a waterfall delivery plan to design, implement, test and then operating a SIEM that ingests and monitors many log sources, run it DevOps style to include small set of sources onto a cloud based platform and slowly evolve the monitoring capability.
Here are some examples of common DevOps tools that security teams are now using:
- Chef can be used to automate security testing.
- Puppet can be used to enforce security policies and prove compliance.
- Ansible can be used to define and automate best practices like setting firewall rules, locking down users and groups, or applying custom security policies.
- SaltStack can be used for orchestration and automation of security practices.
Moreover, with a continuous security monitoring platform like Threat Stack Cloud Security Platform, it’s possible to combine many of these DevOps tools and, through the power of integrations, use them to further your security goals as an organization. That means continuous release cycles can proceed without hindrance while security teams accomplish their goals at the same time.
With the rise of DevSecOps, we get to truly redefine how operations, engineering and security can be brought together to achieve unparalleled success.