A Checklist for Successfully Integrating Security into Your DevOps Process

The DevOps market is on the rise. Per GlobeNewswire, a report from Global Market Insights, Inc. found that the DevOps market valuation was expected to reach $17 billion by 2026. Such growth would constitute an increase of 22% over its 2020 valuation.

Notwithstanding these projected gains, organizations still have some challenges to address with their DevOps implementations. Those obstacles include the matter of bringing DevOps and security together. Indeed, research from Veracode and Enterprise Strategy Group revealed that nearly half of organizations had “regularly and knowingly” shipped out vulnerable code despite their use of application security tools, as reported by Security Magazine. Those respondents commonly cited the pressure to meet release deadlines and the discovery of vulnerabilities too late in the software development lifecycle as explanations for why this had occurred. 

To help illuminate what’s going on here, this post will begin by briefly explaining why DevOps is beneficial to organizations. It’ll then explore the need for security in DevOps and why it’s been challenging to bring security and DevOps together. The post will conclude by providing a checklist of measures that organizations can use to integrate security into DevOps.

Why Organizations Are Flocking to DevOps

By having operations and development engineers work together throughout the entire software development lifecycle, DevOps stands to benefit organizations in many ways. Aruna Ravichandran VP of DevOps Product and Solutions Marketing at CA Technologies, told DEVOPSdigest that one of the most fundamental of these advantages is the ability to deliver better software to customers:

“The underlying goal is to become more agile and efficient in general…,” noted Ravichandran. “[T]his spans everything from driving greater productivity out of the IT workforce to subsequent benefits in operating expense, but at the end of the day it all goes back to deepening engagement with customers by creating increasingly useful applications in a more responsive manner. If digital transformation is the endgame in meeting customer requirements and growing the business, DevOps is the vehicle that allows you to get there.”

By uniting operations and developers, DevOps can also help to tear down silos that tend to exist in hierarchal organizations. Without these silos, team members will learn to speak a common language for the purpose of delivering software at a faster speed. With improved velocity comes the ability to quickly adapt and design their products in a way that accords with the organization’s evolving business needs.

Why Security Needs to Be Part of DevOps

Some organizations think that security is antithetical to DevOps. The belief is that they’re saving time and money by not integrating security into the software development process. They feel that DevOps output could ultimately slow down with the addition of security, thereby putting their business objectives at risk.

But they’re wrong. Security and DevOps aren’t mutually exclusive. In fact, security is part of the solution that can make DevOps even more successful than it is now. 

DevOps.com notes the time and money that organizations could save by integrating security into their DevOps process. Such a move would enable security personnel to spot and fix vulnerabilities early in the design or development phases as opposed to fixing these flaws just before or following deployment. Security teams could also help strengthen the DevOps teams themselves by helping to detect misconfiguration errors involving cloud deployments along with poorly managed access controls that for interacting with secrets like SSH keys and API tokens.

The Challenges of DevSecOps

The benefits discussed above, among others, have helped to give rise to the DevSecOps model. White Source Software explained that DevSecOps involves integrating security into the DevOps pipeline. It also encourages security to take a “DevOps” approach to its work by testing early and often as well as by sending reports in a shorter feedback cycle. Both of these measures are designed to help make it easier for security teams to detect and fix a code vulnerability, White Source Software noted.

Challenges exist with bringing security and DevOps together, however. Dark Reading observed that many organizations fear that increasing the velocity of their security teams’ work could undermine their digital security postures, for instance. There’s also the belief that developers aren’t interested in creating secure code for their products to begin with.

However unfounded these myths are, they have nonetheless helped to shape the ways in which DevOps and security teams have interacted thus far. DevOps and security personnel tend to maintain siloed systems, as reported by Forbes, meaning they don’t have unified or automated tools that can help them to scale tasks and updates. Instead, developers end up using Application Security Testing (AST) tools that don’t integrate into their environments and thereby make their work more time-consuming and challenging. Meanwhile, security personnel only do their work in the testing and deployment phases of the software development lifecycle, further delaying the project. These forces conspire together to create weakened and insecure projects.

How to Integrate Security into the DevOps Process

DevSecOps doesn’t fail whenever security and DevOps come together. It fails when organizations don’t take the necessary steps to integrate security into their DevOps processes. These practices include the following:

Secure executive buy-in: Security teams won’t find their place in DevOps if they don’t receive the time, money and resources they need to cultivate security awareness. The reality is that security teams won’t receive those resources if they don’t get the necessary support from executives. As noted by Tech Beacon, it’s important for executives to understand that they’re risking nothing less than a data breach by not investing in security with respect to their organization’s DevOps processes. 

Align security and business priorities: One of the ways by which executives can get on board with bringing security into the DevOps world is by aligning the priorities of security and business. Once security is framed in a business context, executives can lay the groundwork for organizations to begin emphasizing collaboration and integration, as pointed out by RSA.

Create an inventory of resources: Security teams can’t defend what they don’t know about. To solve this problem, Microsoft recommends that DevOps and security personnel work together to inventory their assets including cloud subscriptions that are in use.

Understand unique applications: Security needs to be integrated into organizations’ DevOps processes in order to make full use of their cloud-based resources including their Kubernetes and container deployments. StackRox notes that organizations can work to secure these resources with the help of DevOps by following key recommendations such as not adding unnecessary components and using minimal base images. 

Automate DevSecOps: Once security is fully integrated into the organization’s DevOps processes, there’s no need to proceed manually. BeyondTrust emphasizes that organizations can use automated security tools for code analysis, configuration management and other important processes. Doing so will reduce the risks of human error and enable the organization to better scale its DevOps processes when it sees fit.

About the Author: David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence, Tripwire's The State of Security Blog, and a contributing writer to Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

Post a Comment