Bringing Security into DevOps

The ability to have an agile yet secure application delivery process is the dream of every CIO in the world. But with so many moving parts and siloed departments built into today’s IT departments it is difficult to turn this vision into reality. The idea behind DevOps is to have representatives from the different functional teams in the application development lifecycle communicate and collaborate in order to accomplish a common goal such as the fast delivery of a web application.

Traditionally security was not part of the DevOps process. But I’m now starting to see companies begin to integrate security into the DevOps process – often now renamed DevSecOps.

Obviously bringing security into DevOps provides the opportunity to work through security issues and concerns related to the software development lifecycle and security best practices that must be incorporated into the product etc. from the get-go, rather than having to stop mid process – or worse, at the end of the process – when a security issue arises.

It also allows you to work on projects that were previously rejected at the end of the cycle, due to security issues, such as a project where the web team wanted to make a change that would have made the site less secure (and therefore the project was rejected). By incorporating security into the process early you can find solutions to these problems which will allow you to move ahead with the project.

Automation plays a key role in DevOps initiatives and helps speed up the code release process, push out patches, spin up new instances and allocate resources etc. However security is often wary of automation, especially when it comes to deploying applications to the cloud. But by integrating security automation into the DevOps process you can monitor and track the entire application development and rollout process from the security perspective and ensure that automation is empowering and optimizing the process and not injecting any vulnerabilities.

Incident response is another area which can be streamlined by integrating security into DevOps. When there’s an incident the DevOps process allows you to use already established processes to push out changes, or monitor certain aspects of a breach that might have been difficult to deal with previously. With representatives of multiple technology functions already present, the DevOps team has a unique opportunity and perspective to help with the remediation efforts.

In the event of a disaster, the ability to work with other teams to recover your infrastructure or applications through a quick and streamlined process is a very appealing idea. Since the Disaster Recovery and Security teams often need to work closely together to fail over to a DR site in the event of an attack, having an existing process-oriented team that includes security is again extremely beneficial to the organization.

However as a security practitioner, in my opinion the greatest and most useful contribution of security to the DevOps process is in vulnerability management. How many times have you found a vulnerability, especially web application vulnerabilities, only to be told that it will be pushed out during the next release…..6 weeks from now….and that’s if they do it right. During this time you’re sitting there holding your breath hoping that someone doesn’t exploit this threat. Being able to quickly turnaround fixes and patch vulnerabilities in hours instead of months is a HUGE win for Infosec.