We’re down to our last few days in this year’s National Cyber Security Awareness Month. But before it ends, we’d like to add one more piece to our Why Security Matters blog series.
We’ve already talked about why security matters to business leaders and compliance professionals. However, there’s another set of stakeholders who voraciously consume cloud resources and therefore also need to understand the importance of embracing security best practices. We’re referring to members of the DevOps profession, those tasked with delivering applications and services at breakneck speed.
Is Security Detrimental to DevOps?
There’s a common misconception that security hinders DevOps processes. How pervasive is this misconception? Well, a DevOps-centric study found that while 99% of respondents believe that security is essential for DevOps, only 20% of these programs have security incorporated into their processes.
Perhaps in the minds of this 80%, security practices and tools only stymie – or even break – the agile development processes inherent in DevOps environments. Why would they believe that? Well, traditional security tools, which may lack built-in automation and scalability functions, certainly can’t keep up with rapidly changing code and infrastructure.
Continuous delivery deployments, for instance, may only take a couple of hours; sometimes even just minutes. By comparison, the process of configuring and deploying security solutions on the underlying IT infrastructure can take days or weeks. Bottlenecks in CI/CD (continuous integration/continuous delivery) pipelines are a possibility if manual tools with automated toolchains are forcibly integrated.
In addition, companies that don’t operate in the cyber security industry have other priorities – like shipping products and services as fast possible. After all, the ability to achieve faster time-to-market is one of the key reasons these companies invested in cloud computing and DevOps in the first place. Team leaders are understandably pressured by management to already bring in some ROI out of those projects.
Because security isn’t always perceived as a value-add for those outside of security-focused organizations, these businesses and their DevOps teams just treat it as an afterthought. And, as we’ve already shown how security impacts the bottom line in Part 1 of our blog series, that perception is simply wrong. In the reasons below, we outline why security matters for the development side of the house.
Why security matters for DevOps
Reason #1: Helps Identify and Remove Vulnerabilities Earlier in the Development Process
Speed is integral to DevOps. Unfortunately, the fast-paced nature of highly automated DevOps integration and delivery pipelines can make it susceptible to vulnerabilities. These vulnerabilities can be overlooked when security practices like tests, documentation, code reviews, and threat modeling are skipped in favor of agility.
The fact that most DevOps processes run in the cloud doesn’t help either. In a cloud environment, computing resources (CPU, memory, etc.), virtual servers and practically the entire infrastructure can be built through scripts. Although the use of scripts greatly simplifies and expedites server provisioning and computing resource allocation, it also increases the potential for vulnerabilities introduced through misconfigurations.
For instance, a minor misconfiguration in the script for your identity management system may expose volumes of sensitive data or clusters of mission-critical servers to threat actors.
A holistic approach to DevOps and cloud security with the right tools can help you recognize vulnerabilities early in the software development lifecycle. This is critical. By identifying and fixing vulnerabilities early in the SDLC (software development lifecycle) you can avoid the economic, operational and reputational risks of avoidable security incidents.
Reason #2: Provides Seamless Integration of Security Into Deliverables
Implementing DevOps-ready security early in the development process also has the added benefit of streamlining the process itself. When you enable security teams to do what they do best – i.e. perform vulnerability scans, analysis, tests and monitoring as well as provide feedback to DevOps – before the application is deployed into production, you eliminate situations that call for DevOps teams to carry out major revisions or complete overhauls in their code.
According to a 2016 study, “high performing DevOps teams,” (those with security addressed at every stage of development), spent 50% less time fixing security issues2.
When security is bolted-on late in the process, it can potentially interfere with certain functions and adversely impact the performance of either the applications or the infrastructure (or both) just because it wasn’t meant to be there in the first place. By contrast, if you bake security into the development process, its integration with the finished product can be more seamless.
Ultimately, you don’t have to sacrifice agility for security if you do things the right way. The “right way” implies not only the use of appropriate security solutions but also close coordination between DevOps and security operations (SecOps).
Reason #3: Encourages Collaboration Between DevOps and SecOps
Incorporating security earlier in the development process can also have a positive impact on the relationship between your DevOps and SecOps teams. While not diametrically opposed, depending on the structure of your organization, these two teams don’t often align for effective collaboration. Bringing SecOps too late in the development cycle or treated as a hindrance, can create friction between the two teams, limiting effectiveness and, as we discussed above, creating vulnerabilities.
Instead, by bringing in SecOps early and often, DevOps can build rapport – and better security practices – a result that everyone can be happy with.
That concludes our three-part series on why security matters for the entire organization – whether you’re a business leader, compliance professional or in DevOps. We hope what you’ve learned here has enhanced your understanding and appreciation of cyber security and how everyone plays a role in its effectiveness.
It might sound trite, but teamwork is the only way we’re going to stop threat actors. If we’re all on the same page, they don’t stand a chance.