3 Ways to Integrate Security and DevOps: SecDevOps
January 20, 2015 | DevOps | Andrew Racine
In our last blog post we examined the overall state of DevOps. In today’s post we are going to focus more narrowly on how you can include Security in your already well-firing DevOps process.
With DevOps firmly entrenched in most SaaS and non-SaaS software development organizations these days one might be asking themselves what’s next? As some smart people have already eluded to, with increased internal and external threats to your infrastructure, the next step in the evolution of DevOps is the addition of Security to the process.
Up until this point Security has been outsider in the sometimes blissful relationship between Development and Operations. When things are going well you might ask yourself if you should add security on top of each deployment or if you should have security rules and regulations in place before any development begins? Remember, the whole point of DevOps is to speed up our ability to ship products and gather feedback. Because of this the security element can sometimes be viewed as a bottleneck to the process.
So how does one go about integrating Security with their already established DevOps process, or create a brand new process altogether? Here are 3 places to start that will increase your chances of succeeding in not only speeding up your development, but doing it in a way that protects your organization from internal and external threats:
1) Hiring the right team members
Who owns your DevOps process? Hopefully all Developers and Operation folks share in the responsibility but do you now want to train them on Security? I am sure the answer is no so ideally you are able hire Security experts who also have some DevOps chops. Namely they would be able to identify and submit bug reports with the potential of fixing them as well. With these added skills the hope is that the DevOps process does not slow down, instead it remains efficient but has an added layer of security that wasn’t in place before.
If you Security team simply doesn’t have the dev chops to positively contribute to the process than you need to hire and position these Security team members as Experts and Advisors for the rest of the team. This means that they should be involved in each stage of the development process, but instead of writing the code they can benefit from the open and agile communication that will lead them to advise DevOps team members if they are squared away from a security perspective prior to them deploying any code.
2) Company Culture
With DevOps it is easy to get lost in Automation and forget that this process needs to be driven by the right people. As we looked at in the first part hiring the right team members is crucial. The reality is that hiring alone isn’t going to solve for SecDevOps. Most likely your DevOps process is structured around your organization’s overall business goals and collaboration. We would argue that one of subsets of those business goals should include your organization’s overall culture. Culture is always difficult to define, it becomes a bit easier with DevOps in place, but how does Security fit into the mix? Do you already practice Scrum, SAFe, or DAD? If so these bedrock principles of DevOps can lend themselves nicely to integrating an element of Security into the mix. Again, we don’t want to reinvent the wheel or disrupt an already well performing process, instead we want an element of inclusion with security that will enable products to be shipped even quicker with a hat tip towards security along the way.
With the very basis of DevOps aligning with collaboration it is important to take a step back and assess what type of information is actually being shared. Without SecDevOps in place most likely not a lot of security checks/best practices/information is being exchanged during the feedback loop. The absence of this input naturally opens up your organization to internal and external threats. By including Security as an integral part of your Corporate Culture you will find the information shared internally will naturally factor in Security as a crucial component of building products and gathering customer feedback.
3) Daily Augmentation
So far we have covered how your Hiring Process and Corporate Culture will factor into aligning Security and DevOps. The final factor to take into consideration is Augmentation. Fundamentally a pillar of the DevOps cultural movement, augmentation is the ability to increase the impact that DevOps has on your organization as a whole with each iteration. Your ability as a Technical Manager or Technical Practitioner to make a positive contribution to your organization’s overall success as it relates to Security is to make sure that a Security Expert is involved in every stage of your DevOps process.
Whether it be in Planning, Testing, Deployment, Monitoring or Feedback your job is the make sure an element of security weighs in at each stage. It isn’t enough to have a ‘Security Review’ at the end of each sprint, instead Security considerations need to augment, or improve the already existing agile environment that is enabling your business to reach its goals.
Obviously there are numerous other variables at play in this SecDevOps equation but we hope these points will act as building blocks for you to leverage when installing a similar process at your organization. As with any good DevOps initiative, the goal isn’t to get it 100% right the first time, but instead learn from each iteration and gradually improve how your teams collaborate, make decisions, and solve for the business.