In Search of Secure DevOps

In Search of Secure DevOps

If you are of a certain age, you may recall seeing ads for Reese’s Peanut Butter Cups that depicted a scenario where chocolate and peanut butter are accidentally combined, changing the landscape of candy manufacturing…forever!  As a big fan of Reese’s Cups myself, I wholeheartedly agree that combining chocolate and peanut butter in the right measure is life-changing.

The same can be said for combining the automation and production-first mentality of Operations with the agility and innovation of the Development world.  When developers and operations come together to work toward one goal, DevOps happens. It promises increased collaboration, which helps enterprises automate, become more agile, and eliminate waste to create a more reliable infrastructure.

Many enterprises claim that automated development practices have accelerated software development to a speed well ahead of what traditional methods deliver. Netflix is one of them, having pioneered the development technique for many industries.

Security Concerns

In 2016, Puppet’s State of DevOps Report revealed that high-performing IT organizations that use the DevOps approach are able to deploy 200 times more frequently than lower performers. Some cynics in security circles contend that the sheer speed of development weakens security. As developments move too swiftly, security teams may simply not be able to keep up with testing, detecting problems, and quality control.

Some critics also claim that there is still a lack of maturity with emerging DevOps tools. This includes issues such as tricky integration with enterprise directory services, lack of access control, and weak configuration checks.

This fallacy, known as “The False Cause,” is defined as “presuming that a real or perceived relationship between things means that one is the cause of the other.”  Just because some people do DevOps badly, doesn’t mean that DevOps is bad.  The trick to innovating is to measure twice and cut once.  To do so, it is imperative that your architects and lead engineers work together to build a process that works for each department at the onset.  This is more achievable than you think when you look at DevOps as a journey and not a destination.

Experts in Defense of DevOps

Gartner analyst David Cearley says that developers and operations teams working together is good as long as security is an integral part of the development process from the start. He adds that firewalls and other border defense tools are not enough these days, when cyber criminals are flexing more muscles than their security counterparts.

Forrester analyst Kurt Bittner believes that DevOps is a very structured and controlled environment where testers and auditors get visibility into what is being built. They can perform various testing activities such as code scanning, security-related testing, proposing peer review, or recommending additional security features.

David Mortman, chief security architect for Dell, defends DevOps if it’s done right. He says that this development model improves software security. Developers use tools to automate testing, limiting human intervention and even unauthorized manual tweaking in the process.

The CIO at the Center of DevOps Security

Enhancing security involves the coordinated execution of activities among people, processes, and technology. Traditionally, security people have their own lingo – risk, vulnerability, breach, exposure, compromise – that often exudes negativity. Developers fear that development could be stalled if every security-related issue is brought up during the development process. The security group is consulted last, given a minor role, or forgotten all together. Clearly, there still exists a cultural divide among developers, the operations group, and the security team.

CIOs should be prepared for a difficult culture shift in their IT organizations. Confronting each team’s preconceived notions and biases and implementing a unified approach to development, operations, and security are huge challenges that CIOs need to address.  However, don’t forget that top-down management will only get you so far with your IT teams.  Take it from us — the side effect of good automation is good behavior.

If you want to learn more about DevOps, visit us at Coda Global today.

Leave a Reply

Your email address will not be published.