Connect with us

Hi, what are you looking for?


Application Security

What Security Teams Need to Know about DevOps

DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017, thereby “crossing the chasm” next year, according to survey results announced by a major analyst firm whose conference on data center, infrastructure and operations was held last week.

DevOps is already in use among 19% of IT organizations, with another 19% in a pilot phase. Another 35% intend to implement DevOps in 2017, thereby “crossing the chasm” next year, according to survey results announced by a major analyst firm whose conference on data center, infrastructure and operations was held last week.

As DevOps becomes mainstream, there is an inevitable draw to incorporate security into the discipline. Whether the term “DevSecOps” catches on or not, the idea that security must “shift-left” to move earlier into the software supply chain is an idea whose time has come.

What is DevOps?

Before addressing the future of including security in DevOps, it may be helpful to define DevOps. One of the challenges is that every DevOps program is a snowflake. George Spafford, one of the authors of the popular DevOps book, the Phoenix Project, once said, “Ask five different people to define DevOps and you get seven different answers.”

Gartner has a definition of DevOps, using insider terms that may not be accessible to those unfamiliar with agile development methods. There is resistance to defining DevOps, because an industry-wide standard would be counter-intuitive to the goal of implementing it in a way that best fits each company to achieve the business results needed.

What Security Teams Need to Know about DevOpsTherefore, without a standard definition, it is helpful to understand the history. Agile development was created due to pressure from businesses to innovate faster. The release velocity of development, though, can only be as fast as infrastructure and operations allows. So the pressure for development and operations to work more collaboratively is the impetus for DevOps.

As a grass-roots movement, while there is continuing debate about the definition, there does seem to be a growing consensus that DevOps supports these big principles:

• DevOps exists to help the business win

• The scope is broad, but centered on IT

Advertisement. Scroll to continue reading.

• The foundations are in Agile and Lean

• (Collaborative) culture is important

• Feedback is fuel for innovation

• Automation helps

Ultimately, DevOps is about a collaborative, agile approach to solving business problems or seizing business opportunities with information technology.

How does DevOps intersect with security?

If DevOps is being used in your organization, here are ways that security can support the effort using the six principles listed above:

1. DevOps exists to help the business win – Security has the reputation of being the “department of no”. While mitigating risk through policy will remain an important component of information security, business requirements must be an equal contributor to those policies rather than based in security practices only. Instead of operating as two opposing attorneys who each advocate for their position, the business must be informed of risks, and sign off on them while, in collaboration, security must consider foremost how to help enable the business to compete.

2. The scope is broad, but centered on IT – In order for the business to win in a world being transformed by digitalization (think about what Uber has been doing to the taxi industry), IT stands at the center of this transformation. But it does not stand alone. An alignment of company effort with HR, finance, operations and even external suppliers is necessary. Information security should continuously seek to make their interactions as frictionless as possible, within the risk tolerance and regulatory requirements of the business.

3. The foundations are in Agile and Lean – Understanding the Agile manifesto and lean principles, taken from manufacturing operations at Toyota, will go a long way towards helping security professionals join in on DevOps. Security must align to efforts towards continuous integration/delivery/deployment and offer proactive means of eliminating constraints (such as time waiting on approvals) in the software supply chain.

4. Culture is very important – One of the most critical differences between DevOps and what has come before is the emphasis on collaboration. This is a cultural mindset of sharing common goals to achieve and measurements that represent business rather than technical outcomes. Security must join in collaborative efforts to reduce risk rather than acting as disassociated critics.

5. Feedback is fuel for innovation – Experimentation and learning is important to DevOps, and these require sufficient feedback, especially from the business. That feedback needs to be exposed to everyone so that improvement and greater innovation can be made, but it requires things like “blameless postmortems” to improve the system. Security culture must avoid being a blame culture in DevOps.

6. Automation helps – Automation brings the advantages of faster and more consistent delivery with higher quality. Tools are a force multiplier for DevOps, but aren’t the foundation. Automation can’t force collaboration, but it does make it easier. Security tools to test, certify or monitor should be included in the tool chain for DevOps, and their output shared broadly for the sake of improvement.

2017 is the year for information security teams to align to the work being done in DevOps – whether you call it DevSecOps or not, to be a better partner to both the business and the rest of IT. Your business is depending on that ability to seize opportunities and stand up to the pressures of digitalization by innovating faster while lowering risk.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem