by Brian E. Thomas

The culture shift in your DevOps environment

Nov 05, 2019
DevopsIT LeadershipSecurity

Incorporating best security practices into DevOps is not only good for your company and your product – it's good for your teams.

With the continual vulnerabilities being exploited in applications today it’s important to shed some more light in this area. Many developers and senior tech leaders haven’t yet made the mental switch from “DevOps” to “DevSecOps,” despite some nudging within the tech community and the tech media. What does it take to make a global movement? Hopefully, it won’t take another Heartbleed vulnerability that we experienced a few years ago. This is just one of many we all have seen one too many times.

In the theme of security, we recently discussed incident response plans. Taking this a step further, the focus will be on the security around DevOps.

So, what is DevSecOps? Essentially, it is the idea of incorporating best security practices in the DevOps practice. It is a practice that security and engineering teams need to build into their DNA, collaboratively. This just doesn’t mean when teams feel like it. It means building security right from the start and through the entire process until delivery of the final product. This shift must broaden DevOps strengths to software security.

Building that security foundation

The Scrum framework and Agile methodology are great and should continue to look at efficiencies within the DevOps process. Much of these processes were developed with speed and quality in mind. Initially however, security had been an afterthought and as more vulnerabilities arose, management realized the deep flaw. It’s important we all acknowledge that we need to start building in a little time for security, starting on the front-end. Many developers and project managers are doing this now, but it’s important that the delivery expectations are set at the customer level as well.

So, we have the traditional DevOps and even SecOps, so when will DevSecOps be commonplace?  SecOps evolved from good collaboration between the security and operations teams. Additionally, SecOps ensures that organizations don’t cut corners around security to accomplish operating goals and uptime.

We all know that in our regular dev cycle, starting with requirements and design, security is an afterthought. The good news is SecOps is having influence on the early stages of the software development life cycle (SDLC). As mentioned, a bit earlier, adding security characteristics earlier in the development cycle may pose some challenges in delivery times. Thus, the development and operations teams must work closely to streamline these practices, which includes bringing security in at the beginning of the development cycle. It’s all in the planning.

Competing priorities

Please don’t misunderstand, DevOps has done a great job to quickly and efficiently design, test and deploy solid apps to operations. Leaders and their companies are realizing that security has been missing or short of what it should be. That’s why the approach with SDLC needs security at the table during the requirements gathering.

Herein lies the challenge. DevOps is accustomed to delivering the products at blazing speed while security is in the middle of everything trying to make it secure. You can’t blame either team for what they are attempting to accomplish – and it’s not for lack of trying. While each team can generally understand what each does and what they are trying to accomplish, they just don’t understand how to get their part done without creating issues for each other. Additionally, much of these encounters are cultural and there needs to be an unbiased champion or executive to help get through conflicts, especially when each team deems their part the priority. To complicate matters, DevOps’ workloads and priorities have only grown, while security’s work has become more tedious with threats becoming more complex.

Yes, integrating security into your DevOps process will add competing priorities, potential pitfalls and delays. DevOps will need to incorporate new processes throughout the development pipeline. This includes introducing automated tools to assist with the whole SecOps integration process. Many DevOps teams are already leveraging automated tools as the pushes and tests are becoming overwhelming now with the increased workload. What’s good to know, is there are many great developer tools available today due to some amazing innovation in the last few years. These tools are thorough and provide solutions throughout the DevOps process. This is especially important and efficient during the testing phases.

Place a value on security

It is crucial that security become part of the culture and everybody owns it. This is especially important if you want to successfully integrate security into your DevOps process and pipeline. Obviously, your developer and operations teams are not security experts by education or career, so their mode of thinking will not have a security focus. Managers need to ensure there are champions for security ownership throughout the teams, process and projects. Documenting, training and socializing SecOps best practice will need to become the IT organization’s mantra. Then you will start to see how this bridges the gap between security and development, but it will also spawn creativity to design and incorporate better security and efficiencies by both teams throughout the process.

As mentioned, several times earlier, the best way to get secure and stay that way is to incorporate security at the beginning and throughout the entire process. Be flexible and smart with how your managing your security activities so that the teams aren’t caught up in vulnerability catch-up or a deployment showstopper during release.

While DevOps should be incorporating the latest automation tools, it’s important that the same is adopted for many of the security tasks as well. Automated tools when leveraged well can easily reduce valuable human time, including in some of the early-mid stages of the process. Using the tools must be part of monitoring your products in production as well, so that you can respond to issues before your customers alert you to them.

No silver bullet

Deploying DevSecOps in your environment is no easy task and there is no silver bullet. Every company, team and environment are different which adds to the complexity. You will need to evaluate your entire team and processes thoroughly. From there, it will take your entire team to build a comprehensive strategy that incorporates better security into all your processes.

Lastly, as the future calls for more and more operational aspects move to the cloud, there will have to be much forethought as your environment shift happens. Technology is moving faster than we can keep up much of the time. So, keep your teams trained and involved in these discussions so they are not only supportive, but ready for the challenges as well.