Why Security And DevOps Must Coexist
I recently had the pleasure of moderating a lively discussion with security leaders at the SINET Innovation Summit 2019 in New York. The conversation explored one central question: Can security and DevOps coexist?
DevOps is a well-adopted practice that fosters an agile relationship between development and IT operations by advocating better communication and collaboration between these two business units. Every organization represented on the panel (including two of the largest financial services companies) have mature DevOps programs with security baked into their practices.
I’ll provide my own insights on this topic, lay out key takeaways from the discussion and address challenges companies face as they adopt secure DevOps.
Second Place Is The First Loser: Security Works To Win the Race
We have arrived at an inflection point for the modern software development life cycle. The conjoining of the engineering side of many organizations with IT operations has been a necessity in the age of rapid digital transformation. DevOps, the agile relationship between the two, has led many development and operation groups to excel at swiftly iterating and delivering new software products and updates across devices, applications, networks and more. As an example, Netflix engineers allegedly release code thousands of times every day to stay ahead of fierce competitors like Hulu and Amazon Prime.
A common trait of the organizations represented on the panel is the understanding of — and execution on — the fact that security needs to be inserted into DevOps to ensure that it does not get left behind.
No company can escape the impact software innovation is having on their business, so they can’t compete if they aren’t investing in software development. At one of the companies represented on the panel, the CIO recently took on the responsibility of managing the entire development team, which is growing by leaps and bounds.
As development and IT (and security by extension) are increasingly coming together under the CIO, the security leaders on the panel were clear that inserting security into DevOps is a mindset and a shared responsibility. Within their organizations, everyone involved in the process has a role to play when it comes to enhancing security. For example, application architects who are responsible for the very first phase of DevOps — the application’s requirements — have a great vantage point to do certain aspects of security that cannot be done anywhere else.
We also discussed the notion of following a blueprint of “shifting security left” in the modern software development lifecycle instead of doing security at the end. It didn’t work yesterday and it won’t work as we continue to move toward a world where the only way to beat the competition is to deliver new functionality to your customers faster and securely.
Avoid Cloud Vendor Lock-In
Panelists also emphasized that deploying applications in hybrid- and multicloud environments as a way to create seamless, automated and secure environments for larger institutions while avoiding cloud vendor lock-in. If we consider this from a DevOps perspective, during deployments, it is critical for companies to mimic processes across all clouds to ensure that security is influential.
Application Security Becomes Key, But It Can’t Be A Burden
One reality many participants face when integrating security with DevOps is the cost of managing security. Billions are spent on network and endpoint security today. The problem is that when organizations are developing software and deploying in the cloud, all of those tools become far less valuable. This is when application security becomes key.
Inserting security into DevOps has to make it easy for developers. As they move faster, they can’t be burdened by waiting for and interpreting scan results to fix vulnerabilities.
Software code has two states — a source code form and a running-in-production form. If we bridge the knowledge of both of these states, we can address the security of this explosion of code much more easily and accurately in the midst of the agile software development life cycle, all without burning out the development team.
Convert Security Requirements Into Code
A significant reason that DevOps adoption is growing is that much of what IT has done historically is now automated through code. In the past, when a new application was ready for production, IT needed to manually buy or provision a server, deploy it and install the application. Now they use code to provision a server on Amazon Web Services or Azure and run the application, almost automatically. What used to take days now takes minutes or seconds.
Something similar needs to happen with security within DevOps. Determining the security requirements for a particular app today is very manual: Security will ask developers what kind of data the app handles and then provide the requirements (e.g., requirements for a mobile banking app are very high). Successful organizations use application security tools to scan the application to determine the data it handles and convert requirements into code automatically.
Don’t Overlook The Software Supply Chain
More and more applications that companies build today use third-party software, including open source libraries and frameworks (in the case of one company we work with, up to 80-90% of an application’s code comes from third parties). The concern is that if developers use more third-party software, it creates more paths for bad actors to hack an application. The discussion among the panelists on this point focused on ensuring that the software supply chain is taken into account as part of inserting security into the DevOps process.
When reflecting on the SINET conversation as a whole, it was great to see how some of the largest and most influential companies are viewing the intersection of DevOps and security and the steps being taken to bridge the gap between the two. My subsequent articles for this column will dig deeper into the takeaways summarized here.