Security Think Tank: Aim for win-win in SecDevOps

For worthy reasons a “new” strategy in integrating agile development and operational processes – DevOps – is catching interest from CIOs. 

While that makes sense and is valuable, one element is perhaps missing: security. I am not saying that developers or IT administrators do not care about security – not at all. However, security is not necessarily their primary objective. As such, the inclusion of security professionals is something that DevOps teams should strongly consider.

Download this free guide

Computer Weekly's Buyer's Guide to GDPR Part 2

In this 12-page buyer’s guide, we look at the tools that could be used for compliance, the incentive to create a smarter, leaner business, and the myths surrounding the new rules.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

For this reason, I propose SecDevOps teams enhance DevOps practices with a strong, functional team of security professionals. The full SecDevOps team objectives would be to optimise development and operational processes while ensuring the security objectives of the company are still met.

Security development processes should reflect the need to use, where relevant, artefacts approved by security teams. To achieve this, the artefacts must be current, usable and developed together with all stakeholders in SecDevOps teams. 

Furthermore, good co-operation between development and security teams should ensure code is tested in an automated way, where possible, by tools procured by security and used by development. Automation, seamlessness and treating security issues as code bugs is vital.

Security operations processes should adopt unconditional patching and hardening of the development, test and production systems. Especially as hardening is an area where a practical guidance from security teams is rather valuable. Unfortunately, I have seen quite a few examples of a so-called textbook approach by security consultants, when later it turned out they did not actually have any practical experience of system hardening.

This leads to my next point. Security managers and CISOs need to come down from their ivory towers that are weakly supported by artificial and theoretical security postulates. They have to offer practical advice that solves security problems that developers and IT teams will inevitably face. 

Continuous education and keeping up to date in security, technology and business challenges is very much required from those security professionals who want to keep their relevance. I certainly want to be in such a valued profession – do you?

Vladimir Jirasek is chief executive at Jirasek Security Consulting.