Is DevOps the Holy Grail for information security?

DevOps is the computing philosophy that, through unified agile software development and business operations, you can improve your products and time to market. But does it actually improve information security?

1 2 Page 2
Page 2 of 2

“Instead of trying to slow the process down, contribute and grow to make for a more secure environment.”

Despite this, and the push by some to progress DevOps to DevSecOps, not everyone agrees that the DevOps and InfoSec partnership is a harmonious match.

There are those that say it can cause problems for the security team, most notably making it harder to understand the risks facing your organization.

With traditional IT, development and deployment times can be long, meaning that the security team has the time and resources to check the code and harden security at the end of the development cycle.

But with DevOps, getting visibility into those gaping holes before an application is launched is more difficult because there is little time to ensure that security is hardened. After all, how can you check security when DevOps advocates like Amazon AWS are releasing code on average every 11 seconds?

In addition, others say that DevOps can automate the wrong processes, and ultimately move the firm away from measuring the actual security and compliance risks. This can create a false sense of security.

Adoption challenges

Like any new technology concept, DevOps does have numerous challenges to mainstream adoption.

First and foremost is arguably the name itself. Some argue that the continuous development of IT has been around for years, while other cynics suggest – as this article does – that some data center providers are simply using DevOps as marketing spin.

Board executives often want a definite ROI established before going ahead with any project, while there is the non-trivial task of rolling out a DevOps awareness program to make the transition as smooth as possible.

And it appears as though these issues are holding some firms back; last month, a study sponsored by CA Technologies suggested that only 20 percent are adopting DevOps, with the majority of organizations failing to address ‘the key requisites for revenue growth’.

The study added that most companies fell down on having a business-led approach, as well as the appropriate skills and IT resources.

Subsequently, there is clearly some way to go before DevOps is mainstream, and the security benefits are realized by all organizations.

Ultimately though, it’s tough to disagree with Microsoft CEO Satya Nadella’s assertion that every business will become a software business in future, with DevOps – so long as security is integrated - playing a pivotal role

This story, "Is DevOps the Holy Grail for information security?" was originally published by CSO.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 secrets of successful remote IT teams