Security Think Tank: Aim for win-win in SecDevOps

For worthy reasons a “new” strategy in integrating agile development and operational processes – DevOps – is catching interest from CIOs. 

While that makes sense and is valuable, one element is perhaps missing: security. I am not saying that developers or IT administrators do not care about security – not at all. However, security is not necessarily their primary objective. As such, the inclusion of security professionals is something that DevOps teams should strongly consider.

Download this free guide

2018 UK IT Priorities survey results

IT organisations in the UK and across Europe are starting to accelerate the move to the cloud. Read more about the key areas in which senior IT managers are planning to invest in over the next 12 months.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

For this reason, I propose SecDevOps teams enhance DevOps practices with a strong, functional team of security professionals. The full SecDevOps team objectives would be to optimise development and operational processes while ensuring the security objectives of the company are still met.

Security development processes should reflect the need to use, where relevant, artefacts approved by security teams. To achieve this, the artefacts must be current, usable and developed together with all stakeholders in SecDevOps teams. 

Furthermore, good co-operation between development and security teams should ensure code is tested in an automated way, where possible, by tools procured by security and used by development. Automation, seamlessness and treating security issues as code bugs is vital.

Security operations processes should adopt unconditional patching and hardening of the development, test and production systems. Especially as hardening is an area where a practical guidance from security teams is rather valuable. Unfortunately, I have seen quite a few examples of a so-called textbook approach by security consultants, when later it turned out they did not actually have any practical experience of system hardening.

This leads to my next point. Security managers and CISOs need to come down from their ivory towers that are weakly supported by artificial and theoretical security postulates. They have to offer practical advice that solves security problems that developers and IT teams will inevitably face. 

Continuous education and keeping up to date in security, technology and business challenges is very much required from those security professionals who want to keep their relevance. I certainly want to be in such a valued profession – do you?

Vladimir Jirasek is chief executive at Jirasek Security Consulting.