DevOps and security can coexist with a little planning
Source – techtarget.com
“If you’re not thinking about security at all, it’s crazy.”
Those words, from Ari Weil, vice president and senior director of industry marketing at Akamai, neatly sum up his frustration with the so-called DevSecOps landscape. Despite well-publicized security breaches, most DevOps teams continue to think about security too late in the process. DevSecOps — with its promise to bake security in from the beginning — could help. But, today, this movement is nascent at best. And while Akamai now offers new tools designed to jump-start an effort bundling DevOps and security, Weil is quick to say the challenges will not be resolved by technology alone.
“I don’t think tools will make this happen, but in the same breath, without the right tools people have no ability to get ahead of this thing,” Weil said.
The problem Weil outlined is relatively simple: Teams today develop apps so quickly security cannot keep up. The historic antipathy that exists between developers and security professionals doesn’t help either. This results in so much dysfunction that even the choice of an API (are you sure it’s secure?) can be fraught.
If those words resonate, don’t despair. Weil has three concrete steps any team can take to bring DevOps and security together. They’re even relatively painless.
Start where you are
Take a moment and look at where your organization is on the digital transformation journey, Weil suggested. Then, step back and ask how your team can build an externally-facing application that uses existing staff and tools and could include some security.
“We know devs aren’t enthusiastic about this,” Weil admitted. “But they’ll accept security measures if they don’t get in the way of development.”
The key is to ask the question, “What steps have I built in to the process to make the app safer?” Obviously, if you answer “none,” you’ll have a problem when it comes to DevOps and security.
The next step is to reach out to the person or team in your organization responsible for security. It’s vital to establish an ongoing relationship with the security pros, Weil said.
Embrace the worst case
Since bad things are probably going to happen, Weil’s last piece of advice is spot on: Evaluate your security vendors or whoever is responsible for the app once it’s deployed. Then, ask them all your DevOps and security questions.
“What is the run book for when I come under attack?” Weil offered. “What is the process of reporting? What is the communication channel? What is the [service-level agreement]? If I can understand those basics I can at least start building a cross-functional security effort”.
Ironically, if the breach isn’t handled well, it can steer teams away from a security mindset.
“A lot of times, companies don’t know what questions to ask when something bad happens, or they only find out about a breach through social media,” Weil said.
Get ahead of the problem and create a plan in advance. It will act as a roadmap of sorts and can also provide peace of mind.