DevOps has taken an aggressive hold in today’s public and private sector, allowing organizations to adapt, deploy, and recover their applications at astounding rates, and that keeps their bottom lines headed in the right direction. One of AttackIQ’s customers is onboarding more than 200 applications alone this year to streamline government. That’s an amazing leap forward for that organization and its constituencies.
But at the same time, there is an ongoing debate underway on how to effectively integrate security practices with DevOps. There are many aspects to the problem. Trying to apply traditional secure development practices to the unique world of DevOps doesn’t completely solve the problem, and likewise, the application of traditional IT security practices can also be ineffective. The high rate of infrastructure and application change that can be achieved using DevOps is advantageous to many (or even most) business stakeholders, but my colleagues in the security space cringe at the consequences that they now need to worry about. And to make it more difficult, very rarely is there an owner of the myriad of unique security aspects that should be considered with DevOps, primarily because security may not have traditionally been a focus for those individuals tasked with implementing DevOps practices.
There are likely different goals held by your security and DevOps teams. According to Gartner, 77 percent of information technology professionals believe security slows them down, which typically is advantageous to your security team. But in DevOps, slow just doesn’t work - by design, DevOps encourages rapid and frequent actions and change.
Adding to the difficulties faced by the security team are the inherent continuous automation and process integrations that are a part of DevOps. Current defensive controls that are aimed at applications and infrastructure produced by DevOps practices are likely to lose visibility into the security posture of the technology stack as it constantly changes. A CISO at a large bank recently said to AttackIQ that he had “zero” visibility into the effect of DevOps on his organization’s security posture.
And finally, just as with any cross functional challenge, communication is a problem, and best practices for the relationship between DevOps and security teams are still being developed. Everyone is running fast, and hardly anyone is talking. Instead of integrating security into DevOps practices, organizations are running security in parallel – and far behind – the pace of their DevOps teams. Security teams end up chasing down the openings created by the infrastructure and application changes post-deployment. Forced into a reactive mode, security teams are never able to catch up or keep pace with the rate of change.
Operationalize and Integrate Security Practices into DevOps
It’s time to integrate security tools and processes into DevOps practices. These integrations should run the gamut from secure development lifecycle practices for application development to infrastructure security practices to harden and verify assets, and most importantly, be built around processes that ensure security does not fall behind DevOps. “Security as Code”, known as DevSecOps, can be built via the same type of cycle that is the foundation of DevOps, allowing security practitioners a mechanism to integrate with DevOps. To operationalize, your goals should include:
At AttackIQ, our FireDrill platform is being used to help operationalize and integrate security practices into DevOps. Our customers are leveraging automation and real-world scenarios to identify threats, validate the security posture of their security stack that is affected by their DevOps practices, and optimizing that security posture as they evolve. Please let me know if you’d like to learn more about how we can help you do the same.