DevOps, and its close cousin, DevSecOps, are transforming how quickly businesses can deploy applications. Embracing this change, with all its cultural implications, is a must for security to keep pace with the rest of IT.
As we step into the new year, we will be launching a blog series to dive deeper into the DevOps movement, from how your organization can measure the success of its efforts to how the relationships between team members are projected to mature in 2018.
Good News/Bad News
What is certain is that the melding of minds between developers, security pros and operations is good news for IT. Baking security into the application development process has a longstanding place in the hearts of those penning lists of best practices. Unfortunately, as breaches continue to show, security is often an afterthought when it comes to meeting production deadlines.
Just as application development needs to be agile, it also needs to be secure. Hackers are unforgiving, and poor coding practices can be costly. For example, media reports about the recently disclosed Uber breach state that hackers accessed a private GitHub account used by Uber software developers, stole user credentials, and then used those credentials to access Uber data stored elsewhere and ultimately hold it for ransom.
Eliminating silos between application development and security teams is critical. DevSecOps creates new opportunities to simplify security, such as taking advantage of automation to speed testing and avoid slowing down deployment. It also empowers your organization to change its approach to updating and patching software.
In the SANS Institute’s “2017 State of Application Security: Balancing Speed and Risk” survey, when asked to choose the ways that described most accurately how they repaired discovered vulnerabilities, 53 percent said through patches or upgrades to the runtime environment. Forty-seven percent said vulnerabilities are handled at the root cause level by secure software development life cycle (SDLC) practices. As noted in the report, strong collaboration between developers and security teams makes identifying issues early in the SDLC easier.
This is all of course easier said than done. In early 2017, InformationWeek and Interop ITX asked 300 North American technology professionals about their feelings on DevOps. Half of those surveyed said they had either implemented DevOps or were planning to in the next 12 months. When asked what the biggest impediments to DevOps were, their top three answers were: “lack of demand from the business” (33 percent); “lack of expertise” (31 percent); and “other technologies or business priorities take precedence” (29 percent).
To address these challenges, CISOs should make the case for how DevSecOps can make IT – and therefore the business – more effective. Once business leaders understand what can be achieved through DevSecOps, getting organizational buy-in will become easy. The harder part is building a strong working relationship between SecOps and DevOps teams. Security must be a part of app development conversations early on, and both sides should embrace an automation framework that makes the job of building, updating and securing applications easier.
Marrying these two teams may not be easy at first, but it can be very rewarding. Judging by the number of breaches rooted in poor patching and coding practices, tying the knot between security, developers and operations enables each group to jointly address the challenges they share. With the right amount of collaboration, DevSecOps can deliver the business outcomes and productivity that gets the new year off to the right start.