Security Experts:

Connect with us

Hi, what are you looking for?



Security and DevOps – What We Learned at DOES17

The adoption of DevOps has implications for security teams, regardless of whether the name evolves to become “DevSecOps” or some other inclusive term. Digital transformation in the business – using software services to compete – requires faster code releases, which DevOps can deliver.

The adoption of DevOps has implications for security teams, regardless of whether the name evolves to become “DevSecOps” or some other inclusive term. Digital transformation in the business – using software services to compete – requires faster code releases, which DevOps can deliver. Security can be a bottleneck to release velocity, but leading organizations are learning how to blend DevOps and security practices. Some are sharing their experiences for us to learn from.

At the end of 2016, I wrote an article titled “What Security Teams Need to Know about DevOps,” where I shared that “DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017.” These were statistics shared during a major analyst’s data center conference in December 2016. 

I attended the same conference in December 2017 and the current survey indicates that 41% of enterprise organizations are using DevOps, while 40% say their organizations are piloting or planning to implement DevOps in 2018. So the numbers were a little optimistic for 2017, but we still should expect that the majority of enterprises will be using some form of DevOps by the end of this year. 

DevOpsConsider the following security advice delivered during the last DevOps Enterprise Summit (DOES17), November 13-15 in San Francisco.

Security needs to shift from being a gatekeeper to enabling security by default

The way we’ve traditionally approached security doesn’t scale in a DevOps world according to Zane Lackey, Co-Founder and Chief Security Officer for Signal Sciences, shared during his session (Video), How to use DevOps to make you more secure. 

His core point is that internal security can’t see itself as a sort of third party to the organization, interjecting security policies and controls as they see fit. Rather, security needs to provide resources to help DevOps teams become “security self-sufficient,” baking security into the DevOps pipeline. His prescription is to bring security-relevant data up to become a peer to operationally-relevant data so that performance problems related to security incidents become more obvious. (The slides for this session are also available in PDF format for download on Dropbox.)

Bake security into your pipeline

How do you build a secure development pipeline that avoids the release of code with vulnerabilities? That’s the question that Shozab Naqvi of Electric Cloud asked in his session, Baking Security into your Pipeline (video).

Code vulnerability testing is frequently bolted on at the end of a software delivery lifecycle, which is often a day or two prior to a release date. This puts tremendous pressure to release the code anyway with a known vulnerability and plan to patch it later. Except that the patch sometimes doesn’t come in time to prevent the data breach. His prescription is to shift security left, meaning, include security experts in scrum teams during the coding build, test and release stages – not just during release. Watch the video for details on how to protect each of these stages.

If it ain’t broke, try harder

Aaron Rinehart, Chief Security Architect of United Health Group, indicated he was tired of being in the way of developers. His session, DevOps and the Healthcare Giant (video), describes his journey towards using chaos engineering as it relates to the field of information security. 

While security has traditionally focused on preventative controls, there has been less emphasis on planning for the unknown. Chaos engineering is the discipline of experimenting on a system in order to build confidence in the system’s ability to withstand turbulent conditions. Rather than rely on security incidents as a detective measure,

Aaron is assessing his detective controls by adding misconfigurations and checking to see if they are detected.

Other specific advice includes:

– Be mean to your code

– Automation is important, but don’t be distracted by it – emphasize simplification and standardization

– Embrace failure as a friend – plan and expect failure and learn from it quickly

(Slides for this presentation in PDF format can be downloaded from Dropbox.)

As DevOps and agile development methodologies take greater root in the enterprise, the traditional tools and approaches for eliminating vulnerabilities in code will no longer be able to keep pace. If your organization is adopting DevOps, then your security practices need to evolve along with the development and operations teams to support the business objectives that are driving this digital transformation.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet