Rawpixel - Fotolia
DevSecOps is key to uniting opposing forces
Unifying DevOps and security teams with the aid of automation will bring harmony and added business benefits, says systems engineer
The practice of combining applications development and IT operations to form DevOps teams is increasingly popular with business leaders, but is unpopular with many security teams, according to Bill Madell, senior systems engineer at cyber security firm Venafi.
“DevOps allows businesses to code and deploy quicker than ever before, allowing them to get ahead of the competition with ever-faster releases,” he said.
Recent search commissioned by global technology services provider Claranet found that 88% of UK businesses have either adopted a DevOps approach or plan to adopt one in the next couple of years.
But despite the advantages of DevOps, said Madell, security teams often regard it as going “dangerously fast” and operating without paying proper attention to security. “On the other hand, DevOps sees security as a burden that is slowing them down and preventing them from keeping up with the demands of the digital economy and the wider business,” he said.
The business benefits of quicker development of products and services means DevOps has become an established and growing trend, said Madell. “CISOs and CIOs therefore need to find a way to bridge the divide between DevOps and security, and because slowing down DevOps isn’t an option, DevSecOps is the only choice,” he said.
DevSecOps speeds up security to the same pace as DevOps, allowing firms to retain the agility while removing the vulnerabilities, he said. “DevSecOps is essential for companies looking to release new products and services rapidly without increasing security risk.”
At the heart of the tension between security and DevOps is the fact that they have different drivers and risks, said Madell.
DevOps teams are driven by a need to shorten the development cycle to reduce the risk of being slower to market than the competition, with research showing that firms with high-performing DevOps teams have 30 times more deployments than their competitors, 12 times quicker recovery times when issues arise, and are more likely to exceed their profitability and productivity targets.
On the other hand, security teams are focused on keeping the enterprise safe from both internal and external threats. The top priority for security teams is to ensure nobody is able to gain unauthorised access or deliver a malware payload.
“While DevOps is inherently geared towards removing as many barriers as possible because every extra process becomes a danger to productivity and delivery, security is more cautious and wants to take time to rigorously test all new services and applications to ensure there are no weaknesses that could pose a risk to the organisation,” said Madell. “This puts them in direct opposition to DevOps and the resulting culture clash can create serious friction.
“Both teams are acting in the best interest of the company,but by pulling in opposite directions, risk is increased on both sides.”
In this context, said Madell, it is not surprising that research shows that only one-third (36%) of DevOps teams say security is involved in the design and deployment of new technology. “This is the worst possible outcome because now, not only are DevOps teams engaging in insecure practices, but security has no clue about what is really going on in order to try to mitigate potential threats,” he said.
A clear example of this is machine identities, said Madell. Research by A10 Networks has found that DevOps teams regularly engage in unsafe practices, he said, such as using self-signed certificates or failing to replace test certificates when code goes into production.
“These mis-steps create significant security risks,” he said. “If hackers find these weak points, they could use them to infiltrate an organisation using malware, perform man-in-the-middle [MitM] attacks or exfiltrate sensitive data.”
Read more about DevSecOps
- The increasing complexity of security threats facing enterprises is leading to DevSecOps approaches, which combine operations and development with security, so that all business units are involved in security operations.
- DevSecOps is seen as a way of ensuring application security, but security leaders must understand that embedding a security culture and taking the inter-dependencies of new development frameworks into account is key, says KuppingerCole.
- It takes collaboration across several levels between the C-suite and in cross-functional teams to successfully move to DevSecOps and meet compliance requirements.
- In the face of competition, organisations are turning to DevOps to improve efficiency and accelerate innovation, but this is creating new security risks, an industry expert warns.
This security issue arises from the fact that DevOps teams are under pressure to get the new release out as quickly as possible and so do not have time to go through the requisitioning process with a certificate authority every time, said Madell.
“Yet, because of the vulnerabilities that these omitted steps create, security needs to address it without slowing down DevOps,” he said. “Security needs to transition from refusing to accept a DevOps approach to finding ways in which DevOps can be done securely.”
According to Madell, one way forward is to enable DevOps to move at the pace that business demands by bringing security processes up to the same speed and involving security in the DevOps process through DevSecOps.
“This shifts the dialogue away from confrontation and towards collaboration in finding ways to remain secure at speed,” he said. “The key to this is automation. Automation can meet the needs of both DevOps and security because it is quick, reliable and easy to verify.”
By automating processes that are consistently applied in key areas such as testing and deployment, security professionals are freed up to focus on continuous improvement, said Madell.
“Automation means barriers are removed for DevOps because they aren’t slowed down, while security can be confident that key processes are always being followed,” he added.
In the context of machine identity, Madell said automating the certificate provisioning process eliminates the conditions in which security errors can occur. “As soon as the code is ready to move into production, the correct certificate will be requested and applied, without requiring anything onerous of the developer,” he said.
“Thus, we achieve security process without slowing DevOps’ pipelines at all. DevOps is free to focus on speedy coding and delivery, while security avoids slowing DevOps because they know secure procedures are consistently and automatically being followed.”
Now that DevOps has gone mainstream, Madell said it is crucial for companies to understand and embrace DevSecOps as soon as possible. “They shouldn’t be afraid of DevOps because of the security risks – it’s the future of coding for continuous development and deployment – those who fail to adopt it will be left behind,” he said.
“However, without security oversight and input, DevOps teams will unleash a horde of vulnerabilities in their haste to deploy. The only solution is for firms to bring security up to the same speed as DevOps and get the two working in harmony, both culturally and technologically.
