DevOps and Security: Fighting Factions or Fabulous Friends?

DevOps professionals consider themselves as agile, ahead of the game and able to deliver new programs quickly and efficiently. Traditional security processes, however, prioritize being thorough over agility and are often addressed in the last stages of implementation. These approaches could become foes. However it doesn’t have to be this way, and with more and more security breaches uncovered every week, it’s vitally important that security and DevOps work together to integrate and streamline delivery, balancing speed and security without compromise.

The general view is that DevOps is a rapid approach to development and implementation, quickly enabling companies to introduce new code and programs to an entire company. While security is seen as careful in its approach, ensuring every angle of protection has been considered. Both of these approaches are valid and vital to the smooth running of an organization. However the two groups working in these areas aren’t traditionally integrated which can lead to misunderstanding and even confrontation. While the finger of blame has, in the past, been pointed at the DevOps team for perpetuating bad security practice it’s inappropriate and counterproductive to continue presuming an us vs. them mentality. In fact, many in a DevOps team are more security focused than a traditional developer team. Given the right steer on security parameters and priorities, they can work together extremely well. In properly aligning, teams can identify shared pains and objectives and develop a mutually beneficial working practice.

Both DevOps and Security are technically minded people with a deep level of expertise. Building on this to develop mutual understanding is key. Both teams have complementary skills sets and can work effectively together. The goal should be to change processes to ensure security and DevOps teams are all involved from the start of a project. This will enable companies to continue to promote talented people.

In discovering what components of security processes can be automated, it allows companies to ensure these tasks are performed early, often and consistently. Automation is important as it frees up time and ensures regularity, but it will only get you so far. To automate security checks, teams have to already understand or have established where the areas of vulnerability are and what is trying to be exploited.

Automation could be beneficial in, for example, code scans to look for patterns in code leading to vulnerabilities; threat modelling, which is normally manual, but there are components which can be automated. It’s essential to include human intervention: a security expert is needed to examine, predict and look at requirements. Code review practice needs to be conducted by security personnel who can look for changes and vulnerabilities. Then teams can automate early and often where possible. Where it’s not possible – manually ensure this happens so both teams are involved and the security team isn’t starting testing only after the DevOps team say it’s ready to deploy.

It’s got to be best practice for both the DevOps and security teams and encompass the best methods and processes within both. Examine two interconnecting elements: collaboration and communication. Ensure collaboration by including security from the very beginning. In many cases security teams come in at the end but they should be on boarded from the time developers begin the process of developing code. This means there are no nasty surprises on either side. Communication is such an obvious point – but one that needs to be made. Developers should share updates with the security team when a sensitive part of the code is altered or updated to pinpoint the location of potential vulnerabilities. Likewise security teams need to flag their priorities and the changing threat landscape to ensure that the DevOps team is made aware of much needed awareness.

This is not necessarily how to measure the success of each team, but rather ensuring both are working together effectively. There’s no need to reinvent the wheel, rather use existing metrics where possible, such as defect rate, mean time to failure and vulnerability metrics within code scans. Integrate security into the process and make sure the same thresholds are applied to security.

Like everything in DevOps, there’s no single silver bullet which will determine success. Proper implementation requires modification of people, process and tools to effectively to create a streamlined and collaborative working environment. A security first approach isn’t easy for employees, but it’s do-able. Vitally important is to keep talented people, and consider both sides of the fence.

Enforcing process wont get results. Best practice involves collaborating and communicating with both teams so that everyone is singing from the same hymn sheet. Finally, the tools have to be in place to make the process work for everyone. Automate where possible to reduce team workload and measure effective working in terms of existing metrics.

Brian Dawson
DevOps Evangelist
CloudBees