Modern IT is characterized by a constant and demanding drive for speed. Developments in technology and communication have transformed the inner workings of businesses across the world even in just the last few years, not only for the sake of satisfying the ravenous demands of end-users, but also optimizing efficiency and agility in a way that keeps the most competitive organizations lean.
For a growing number of businesses, this ongoing transformation is driven by DevOps. Understanding and satisfying the need for speed and efficiency is integral to the methodology. DevOps enables greater communication and collaboration within IT pipelines, encouraging an inter-departmental perspective to avoid clashes of interest or unnecessary work. At the same time, its focus on automation enhances pipelines by making key processes fast and reliable.
However, this focus on speed and efficiency can lead to major problems within DevOps teams. The quality of end products and services remains essential, and many of the processes that guarantee this level of quality simply have not caught up with what DevOps is capable of.
As summarized by DevOps Institute USA Chapter Chair Dr. Mark Peters, “Growth depends on culture, and tech depends on software and firmware. The problem comes when your people upgrades cause your tech to lag.”
One of the biggest victims (or ‘offenders’, depending on how you look at things) is security. In the last decade, the need to run safer operations has become an ever-looming specter for development teams. Stakeholders who were once overjoyed at how quickly developers were churning out new code are now pressuring those same teams to adhere to regulations like the GDPR or the CCPA. The privacy of clients and consumers requires serious and ongoing protection, not merely to avoid penalties, but also to maintain the trust of customers and clients – an integral element of sustaining value.
Sadly, the demand for speed is only increasing. Many services, particularly those that are customer-facing, require frequent and sometimes even daily updates. While a DevOps team can refine and accelerate the processes required to meet this demand, traditional security checks can still create a serious bottleneck before the point of release.
Some see dealing with security as akin to taking the time to avoid potholes in the road – awkward, but essential for getting to your destination on time with your vehicle intact. Sacrificing or ignoring security concerns, on the other hand, is like making the same journey with zero regards for blindspots, pedestrians, or anything else in the Highway Code. You might get to your destination faster, but eventually there will be consequences – and they won’t be pretty.
So what’s the answer? Do we need to learn to sacrifice speed, hoping that our markets will bow to our sensibleness? Or can the DevOps methodology evolve yet again to work more in tandem with security checks?
Considering the need for security in DevOps
Of course, we cannot discuss security in DevOps without qualifying that it has never been entirely absent from DevOps pipelines. That would be ridiculous.
The issues we are considering are not a result of ignorance, per se, but prioritization. Developing new code, releasing more features, and so on, all drive business value and keep stakeholders happy. Delaying releases or scheduling downtime can seem like worst-case scenarios to product owners. DevOps teams unused to straying from the ‘value is king’ doctrine are often simply unfamiliar with the potential value and consequences that come packaged with modern security considerations.
At the same time, there is no doubt that DevOps practices need to evolve. New code is being created faster than ever, and customers are ever-more demanding. Yet these same customers are also well aware of the consequences of data breaches and other potential attacks, and often judge companies by their track record. Security has become an established ility within standard acceptance criteria, regardless of how frequently a company needs to release updates.
Another way of putting it is that, rather than being a problem, the need for security should be seen as an instigator for evolution. End-users are accustomed to having their cake and eating it too. Quality is the boss, and it isn’t willing to let speed or security slack off.
Luckily for us, this whole thing is not exactly a new issue. The DevOps practitioner community has always been fairly active in responding to problems found on the front lines, so to speak.
Many simply advocate a change in perspective, with security consultant and DevSecOps lead Marudhamaran Gunasekaran stating: “DevOps is not a security nightmare because software is pushed to production often and faster, it is an opportunity for security to fail faster in safe test environments before a security bug or a flaw manifests into a security incident.”
What are the solutions?
A popular and widespread solution that takes on many forms is to fall back on what DevOps teams do best: driving automation and continuous integration.
Rather than treating security as a final speed bump, it is far more efficient to integrate the necessary considerations into a DevOps pipeline. Manual checks and other processes can be automated where possible, while any necessary skills or outside programs can be sourced as necessary. In other words, you can simply start treating security and compliance as elements of DevOps itself.
Automated security programs and processes also have a future-proofing element, as they can be designed to incorporate additional practices and compliance policies. At the same time, as is the standard for DevOps, these programs can also provide ongoing performance metrics relating to compliance rates, response times, the frequency and length of downtime incidents, and so on.
Another advantage of this approach is what it can do for team morale, with Maran continuing that “Sensible security automation not only aids in streamlining mundane manual activities aimed at rapid defenses, but also helps retain the best talent because the boredom of mundane chores is oppressive, and a passion-killer.”
Once this is all set up, it can typically operate in the background with little margin for error. Many DevOps teams even utilize tools and processes they are already familiar with when incorporating security checks in this way.
That is not to say that the best solution is simply to expect development and operations teams to handle things themselves. Many organizations elect security representatives for these teams, who assess their work while acting as a go-between for management and making sure that any outdated policies and processes are updated as necessary.
Others have called for a wider update to the DevOps methodology as a whole. This has taken various forms, including Rugged DevOps and, more recently, DevSecOps.
‘DevSecOps’ is a methodology built to integrate security as a continuous element of DevOps pipelines. It incorporates security teams into DevOps cultures, with a typical ratio of a single security expert per 100 staff in development and every ten in operations. Teams are encouraged to adapt their tools, processes, policies, and so on, to suit an environment where security is everybody’s business. From the beginning of development, security functions as part of a continuous cycle, with new code or open-source resources constantly being scanned for errors and vulnerabilities.
The DevSecOps approach is particularly significant, given the technical changes that it instigates. Development and operations staff learn to be proactive in highlighting, reporting, and, when necessary, dealing with errors. As this goes on, developers, in particular, will gain the insight necessary to help prevent certain issues from appearing in the first place, reducing the time spent on repairs down the line.
Replacing outdated security practices and treating security and compliance as ongoing concerns rather than last-minute considerations creates a much smoother process overall. Solutions like DevSecOps create future proof systems where engineers are constantly tracking and highlighting metrics that indicate further opportunities for improvement. And, as we said before, the DevOps practitioner community is always on the case when it comes to discovering new ways to deal with common challenges.
Optimizing speed and security
This all sounds good on paper, of course, but it is worth keeping in mind that DevOps is not a prescriptive entity. Nor are all DevOps-powered organizations so similar in shape and size that they can share solutions word-for-word or action-for-action. Certain DevOps managers see security as being someone else’s concern. Many have, historically, even seen this as being an essential ingredient for their success.
Ultimately, DevOps has never been a one-size-fits-all approach. It is, however, highly reactive to change, with the insight driving the methodology often coming from the front lines. There is little excuse to play ignorant, especially when the essentials of the methodology are already evolving.
The unshakable necessity of speed, combined with the increasingly mandatory element of security and the constantly-dominating drive for quality, forms the new environment DevOps practitioners must adapt to thrive in. Being prepared to react, learn, and evolve has always driven success for IT teams. Right now, there’s a lot to gain with a little classic DevOps innovation.
The DevOps Institute
The DevOps Institute is a professional membership association whose mission is to advance the human elements of DevOps by creating a safe and interactive environment where our members can network, gain knowledge, grow their careers, support enterprise transformation, and celebrate professional achievements. We connect and enable the global DevOps community to drive change in the digital age. DevOps Institute ambassadors are pioneers in DevOps and some of the world’s most foremost thinkers and advanced practitioners of DevOps ways of working who volunteer to share their wisdom and expertise with the humans of DevOps, globally.
Marudhamaran Gunasekaran, MCT, ISO 27001 LA, PSM I, II, III, Pluralsight Author.
Maran is a Chief Consultant and a DevSecOps Lead with DevOn, part of The Waada, Prowareness Group. He plays various roles at work, including but not limited to Security Consultant, Trainer, Agile Coach, and Compliance Manager. Starting his career as a programmer, he takes joy in staying abreast with security advancements, contributing to the open source community with the most recent contributions to OWASP projects, and evangelizing security among DevOps professionals as an Ambassador for the DevOps Institute and an Evangelist for the OWASP flagship project ‘Zed Attack Proxy’. When not training or transforming organizations to the DevSecOps ways of working, he relaxes with Henry David Thoreau, learns to cook a new dish from the Indian cuisine, and his rediscovered hobby of gardening.
Dr. Mark Peters, CISSP, PMP, DevOps Institute USA Chapter Chair
Dr. Mark Peters works for Technica Corporation as Lead Information Assurance/Security Engineer on a US Air Force cyber weapon system. During his previous US Air Force career, he integrated intelligence processes with operational delivery. A cybersecurity expert, he holds multiple industry certifications, including a CISSP. As a Strategic Security Doctor specializing in economic espionage, he authored ‘Cashing in on Cyberpower’, analyzing a decade of cyber-attacks. In his spare time, he reads, thinks, writes, and then speaks. A DevOps Institute ambassador and USA chapter chair, he enjoys working with individuals on their unique DevSecOps implementations. He remains passionate about incorporating new technology into DevOps across multiple industries.