The adoption of DevOps has implications for security teams, regardless of whether the name evolves to become “DevSecOps” or some other inclusive term. Digital transformation in the business – using software services to compete – requires faster code releases, which DevOps can deliver. Security can be a bottleneck to release velocity, but leading organizations are learning how to blend DevOps and security practices. Some are sharing their experiences for us to learn from.
At the end of 2016, I wrote an article titled “What Security Teams Need to Know about DevOps,” where I shared that “DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017.” These were statistics shared during a major analyst’s data center conference in December 2016.
I attended the same conference in December 2017 and the current survey indicates that 41% of enterprise organizations are using DevOps, while 40% say their organizations are piloting or planning to implement DevOps in 2018. So the numbers were a little optimistic for 2017, but we still should expect that the majority of enterprises will be using some form of DevOps by the end of this year.
Consider the following security advice delivered during the last DevOps Enterprise Summit (DOES17), November 13-15 in San Francisco.
Security needs to shift from being a gatekeeper to enabling security by default
The way we’ve traditionally approached security doesn’t scale in a DevOps world according to Zane Lackey, Co-Founder and Chief Security Officer for Signal Sciences, shared during his session (Video), How to use DevOps to make you more secure.
His core point is that internal security can’t see itself as a sort of third party to the organization, interjecting security policies and controls as they see fit. Rather, security needs to provide resources to help DevOps teams become “security self-sufficient,” baking security into the DevOps pipeline. His prescription is to bring security-relevant data up to become a peer to operationally-relevant data so that performance problems related to security incidents become more obvious. (The slides for this session are also available in PDF format for download on Dropbox.)
Bake security into your pipeline
How do you build a secure development pipeline that avoids the release of code with vulnerabilities? That’s the question that Shozab Naqvi of Electric Cloud asked in his session, Baking Security into your Pipeline (video).
Code vulnerability testing is frequently bolted on at the end of a software delivery lifecycle, which is often a day or two prior to a release date. This puts tremendous pressure to release the code anyway with a known vulnerability and plan to patch it later. Except that the patch sometimes doesn’t come in time to prevent the data breach. His prescription is to shift security left, meaning, include security experts in scrum teams during the coding build, test and release stages – not just during release. Watch the video for details on how to protect each of these stages.
If it ain’t broke, try harder
Aaron Rinehart, Chief Security Architect of United Health Group, indicated he was tired of being in the way of developers. His session, DevOps and the Healthcare Giant (video), describes his journey towards using chaos engineering as it relates to the field of information security.
While security has traditionally focused on preventative controls, there has been less emphasis on planning for the unknown. Chaos engineering is the discipline of experimenting on a system in order to build confidence in the system’s ability to withstand turbulent conditions. Rather than rely on security incidents as a detective measure,
Aaron is assessing his detective controls by adding misconfigurations and checking to see if they are detected.
Other specific advice includes:
– Be mean to your code
– Automation is important, but don’t be distracted by it – emphasize simplification and standardization
– Embrace failure as a friend – plan and expect failure and learn from it quickly
(Slides for this presentation in PDF format can be downloaded from Dropbox.)
As DevOps and agile development methodologies take greater root in the enterprise, the traditional tools and approaches for eliminating vulnerabilities in code will no longer be able to keep pace. If your organization is adopting DevOps, then your security practices need to evolve along with the development and operations teams to support the business objectives that are driving this digital transformation.
