Security Think Tank: Aim for win-win in SecDevOps

For worthy reasons a “new” strategy in integrating agile development and operational processes – DevOps – is catching interest from CIOs. 

While that makes sense and is valuable, one element is perhaps missing: security. I am not saying that developers or IT administrators do not care about security – not at all. However, security is not necessarily their primary objective. As such, the inclusion of security professionals is something that DevOps teams should strongly consider.

For this reason, I propose SecDevOps teams enhance DevOps practices with a strong, functional team of security professionals. The full SecDevOps team objectives would be to optimise development and operational processes while ensuring the security objectives of the company are still met.

Security development processes should reflect the need to use, where relevant, artefacts approved by security teams. To achieve this, the artefacts must be current, usable and developed together with all stakeholders in SecDevOps teams. 

Furthermore, good co-operation between development and security teams should ensure code is tested in an automated way, where possible, by tools procured by security and used by development. Automation, seamlessness and treating security issues as code bugs is vital.

Security operations processes should adopt unconditional patching and hardening of the development, test and production systems. Especially as hardening is an area where a practical guidance from security teams is rather valuable. Unfortunately, I have seen quite a few examples of a so-called textbook approach by security consultants, when later it turned out they did not actually have any practical experience of system hardening.

This leads to my next point. Security managers and CISOs need to come down from their ivory towers that are weakly supported by artificial and theoretical security postulates. They have to offer practical advice that solves security problems that developers and IT teams will inevitably face. 

Continuous education and keeping up to date in security, technology and business challenges is very much required from those security professionals who want to keep their relevance. I certainly want to be in such a valued profession – do you?

Vladimir Jirasek is chief executive at Jirasek Security Consulting.