Secure DevOps: A simple plan to deliver business value
DevOps—the movement to break down silos, deliver software faster, and overall create a better experience for customers—is spreading from startups and experimenters to the enterprise. Many security team leads would cringe at the idea of faster development cycles in an IT department that has even less time and patience for standard security checks, but James Wickett, a senior DevOps engineer, sees not just opportunity, but necessity.
“Traditional information security is going to die if we don’t respond to the way the business is moving.”
The business now knows there’s a competitive advantage in not letting a bunch of code sit on the shelf and gather technical debt, notes Wickett, a speaker, author, and founder of the Gauntlt Rugged Testing Framework. Security has been partly to blame for slow releases, often done in the name of audit and compliance.
“Security’s new role is to not be a blocker, but to help deliver audited, compliant, and security-tested code faster.”
Security teams have to embed themselves into increasingly agile software processes, and drive an awareness of good security practices on the part of developers. Reforming your testing processes is the cornerstone of this change, but before you get there, you’ll have to kick off a cultural shift that gets security people to think about how security serves the business.
From black hat to many hats
“A lot of times, security people tend to silo themselves away,” Wickett says. “They use their own operational tooling and testing practices that others in the organization don’t know much about.” Security leads trying to lead an acceptance of DevOps practices should do as much as they can, he says, to get their teams thinking and acting like part of the mainline organization.
For example, Wickett suggests that you could skip security conferences like RSA or the Black Hat conference in lieu of agile conferences like Velocity or Strata. Send security people into as many cross-functional events and meetings as possible to help them cross-pollinate and see the organization objectives in a new light.
Most importantly, do value stream mapping to help the security team see its work in the context of the business’s highest-level goals. The security people must be able to align themselves with the business mission, as well as the reasons for adopting DevOps practices.
Waterfall’s last stand
DevOps is rising rapidly to prominence because it works on both ends of the spectrum of software delivery; and by joining the disparate groups of development and operations, an overall better product gets delivered. For security teams, that means letting go of traditional workflow models that cluster a huge testing effort at the end of a monolithic release cycle or around compliance and audit cycles. Instead, Wickett says, testing efforts need to be more continuous, better automated, and supported with real-time monitoring and analysis.
To ease the transition, Wickett recommends security team leads focus their efforts in two areas:
1. Inject better security testing inside your delivery pipeline
The key here is getting your security testing tools set up as automated tests and critical checkpoints along the way, so that security isn’t creating a bottleneck. “The old way of security testing code is a really long process,” Wickett says. “Moving your security tests closer to where the code is being written is where the information security team can add real value to the DevOps movement.”
2. Find ways to instrument, monitor, and respond in real time
Today, real-time data analysis can alert you to erratic or suspicious activity almost immediately. The expectation, for operations and security alike, is to be able to have insight into that activity, and isolate and respond to problems as needed. Information security, Wickett says, has been in a silo and slow to share across the organization.
“Right now, dev and ops have more dashboards, monitors, switches, levers, and knobs to know what is happening and make changes to the site in real time. Security needs to adopt instrumentation and monitoring that can be added into these dashboards and monitors, thus becoming more transparent in the organization.”
With the faster delivery cycles, you’re always releasing new code. A solid attack detection and monitoring strategy is key. “More rapid testing cycles, combined with better real-time monitoring, will help you not just to keep up,” he says: “You will add tremendous value to the business.”
Just make sure the tooling reforms are preceded by business alignment and cultural acceptance of Agile. “Tooling is not going to help you if you have significant deficits in those areas,” Wickett says.