Monday, August 20, 2018
By Gary Ramah, Fuel User Group Board Member
The Importance of DevSecOps
Over the past several years, there have been considerable changes to IT infrastructure. The addition of new technology, including cloud computing, dynamic provisioning and shared resources have increased the speed and agility of IT, while also affecting the cost. The result is that application development is now stronger than ever.
Because applications in the cloud are now larger and faster, the development and operations (DevOps) guidelines have to also become faster. This also means so-called “big bang” application launches are no longer prevalent, but thanks to integrated development, we now see faster releases and better stability in applications.
However, security still lags behind, which is why its incorporation from the start is paramount to the success of preventing hacks from occurring. This means the transformation of DevOps to DevSecOps.
What is DevSecOps?
DevSecOps means every stage in software development has a role to play in its security. It brings development (Dev) together with operations (Ops) by providing security (Sec) from the start, and automating tasks afterwards. The goal is to maximize security while minimizing potential mistakes, errors, or openings that might allow for compromise.
How DevSecOps Works
Understanding DevSecOps starts with the belief that everyone is responsible for the security of the software. From upper management to technology-focused employees, security must be incorporated into everyone’s day-to-day work. It’s not surprising that traditional security leadership is now found in the board room; but while that has increased the effectiveness of decision-making, it also has created issues, too.
Security is a skill that is separate from the production arm of business, but by placing it at the top, friction and a slow-down in operations is created. This is mostly due to the scarcity of proper security education. Without enough people working together on the same page, the speed in which business operators want to work cannot be achieved without undue risk to the security of the information being stored or transmitted.
Issues with Security
Many security options have simply not caught up with the rapid pace of change in the industry. While not surprising, given the incredible advances seen so far, without the proper protection, such systems are even more vulnerable. Plus, the installation of security systems is a time-consuming task which works against standard DevOps procedures.
It is arguably no surprise that security was an afterthought at first, mostly slapped on to the end product. However, as more systems are becoming compromised, it has become apparent that the traditional approach of DevOps is lacking and that security needs to become an integral part of the process from the get-go.
There are numerous benefits to the DevSecOps approach, starting with the reduction of mistakes that often plague systems where security is added at the end. By putting in security systems at the start, it creates a process that can be automated, which also reduces the chances for error to occur. Here are just a few things that teams can benefit from with DevSecOps in place.
Automation: The automation process means that security architects need not manually configure the consoles that are part of the security system. This means fewer mistakes and faster production once the systems are in place.
Testing Systems: Leaving security as an afterthought may cause unexpected issues with the software or create a conflict that interferes with the function of the product. In either case, this extends the testing period, which causes more delays and runs up costs. By placing security at the forefront, it allows for more complete testing of systems throughout the process. Additionally, systems can be tested as it is being developed, which means faster repairs.
Minimizes Disputes: It may seem counterintuitive at first, but there are fewer issues and disputes when security measures are incorporated from the beginning. This allows security professionals to make necessary changes, adapt coverage and address needs more efficiently while minimizing potential disputes, compared to asking for changes after the systems have been completed.
By going a step at a time, the disputes become smaller, less frequent and easier to manage. In most situations, by the time the process is complete, mutual agreement has been reached.
In addition, the built-in security controls established from the start are built on during the production process. This leads to greater security, if only because any disputes are handled quickly, issues are addressed in a timely manner and disruptions are minimized. While it is true that it is a more time-consuming process, once the new system has been put into place, the employees trained and the security accepted, it proceeds at a fairly good clip.
The DevSecOps mindset makes it easier to cooperate with security changes down the road. By handing security at all levels, new advances in technology or simple upgrades to security systems are put into place more easily and with fewer disruptions. There will still be a dedicated team that understands the business, uses the proper tools to locate flaws, conducts proper testing and sees it through to the end. The end result is not only worth it when finished, but also results in reduced costs when it goes online.
It’s not easy to incorporate the DevSecOps system when DevOps has been dominant. This requires a change in process and means a slower, more deliberate approach will be needed. However, once in place, the new mindset will lead to a better cooperative system where business operators work side-by-side with those who make security decisions and use the appropriate tools in the process.
Gary Ramah is a Fuel User Group Board Member and lead network security architect at the Walt Disney Company. You can follow him on Twitter at @DevSecOpsGuy.
Have thoughts to share on DevSecOps? We want to hear from you! Start a thread in our discussion forum, linked below.
Check out these Fuel blog posts for further reading: