DevOps and Security: Fighting factions or fabulous friends?
Source – cbronline.com
DevOps processes focus on being agile, ahead of the game and able to deliver innovative software quickly and efficiently.
Traditional software security processes prioritise thoroughness over agility and are often implemented as blocking gates at the last stages of software delivery. Due to this, these approach are often viewed as being in competition.
It doesn’t have to be this way. More and more security breaches are uncovered every week, and it has become vitally important that security and DevOps work together to integrate and streamline delivery, balancing speed and security without compromise.
The general view is that DevOps is a rapid approach to software development and delivery, enabling business to quickly introduce new capabilities to its end users. Whilst
security is seen as careful in its approach, ensuring all vulnerabilities and angles of attack have been considered and mitigated, including detailed audit and approvals . Both of these approaches are valid and vital to the stability and viability of the business. However, the two groups working in these areas aren’t traditionally well integrated which can lead to misunderstanding and even confrontation.
The finger of blame is often pointed in one direction or the other; at the DevOps team for perpetuating bad insecure code with bad security practices, or at the Security team for impeding delivery. This is counterproductive and perpetuates an us vs. them mentality, ultimately hindering the business In fact, the nature of DevOps teams positions them to be more focused on security than in legacy development. Given the right steer on security parameters and priorities, the Devops and Security teams can work together extremely well. In properly aligning, teams can identify shared pains and objectives and develop a mutually beneficial working process.
Both DevOps and Security are technically minded people with a deep level of expertise. Building on this to develop mutual understanding is key. Both teams have complementary skills sets and can work effectively together. The goal should be to change processes to ensure security and DevOps teams are all involved from the start of a project. This will enable companies to continue to promote talented people.
DevOps in practice requires automation ensuring delivery these tasks are performed early, often and consistently. This provides a point where security processes can be integrated with DevOps such that security become a core part of the development and delivery process.
Automation of security, for example, can include scans to look for patterns in code leading to vulnerabilities; controlling and managing third party component usage, threat modelling, etc. In automating and maintaining security processes human interaction and oversight is still essential (vs handing all process over to “full stack” developers): a security expert is needed to examine requirements, educate developers on security vulnerabilities and emerging practices, and. code review could be conducted by security personnel who can look vulnerabilities. Automation, also supports better security related metrics collection, so in addition to measuring defect rate and mean-time to recovery, we can track code scan vulnerability metrics
Teams should automate wherever possible, and where not integrate security experts into the DevOps team with a focus on collaboration early and often.
Creating best practice
DevOps and Security teams must collaborate to identify critical components of each process, while rejecting the parts that are superfluous or unnecessary, then over time they should to integrate and refine those processes.
One required change is to practice constant collaboration, involve security in the process from the very beginning and throughout. In many cases security teams are only involved late stage after development teams say they are ready to deliver. Instead, they should involved from the time user stories are developed and through the process of developing code and configuring environments. This mitigates the chance for security showstoppers at the end of a delivery cycle, which contribute to the feeling that Security only there to stop progress.
Another area of focus – that seems obvious, but is under-addressed – is cross-team communication. Developers should share updates with the security team when a sensitive part of the code is altered or updated to pinpoint the location of potential vulnerabilities. Likewise security teams need to flag their priorities and the changing threat landscape to ensure that the DevOps team is given much needed awareness.
Working towards a single, shared goal
Like everything in DevOps, there’s no single silver bullet which will determine success. Proper implementation requires modification of people, process and tools to effectively to create a streamlined and collaborative working environment. A security first approach isn’t easy for employees, but it’s do-able. Vitally important is to keep talented people, and consider both sides of the fence.
Best practice involves collaborating and communicating with both teams so that everyone is singing from the same hymn sheet. Finally, the tools have to be in place to make the process work for everyone. Automate where possible to reduce team workload and measure effective working in terms of existing metrics.