DevSecOps: How DevOps and Automation Bolster Security, Compliance
DevOps bridges the gap between Development and Operations to accelerate software delivery and increase business agility and time-to-market. With its roots in the Agile movement, DevOps fosters collaboration between teams and streamlines processes, with the goal of breaking silos in order to "go fast."
Information Security (InfoSec) and compliance are critical to businesses across the globe, especially given past examples of data breaches and looming cybersecurity threats. InfoSec has long been thought of as the group that "slows things down" - the wet towel to your DevOps efforts - often requiring a more conservative approach as a means of mitigating risk. Traditionally, DevOps was viewed as a risk to InfoSec, with the increased velocity of software releases seen as a threat to governance and security/regulatory controls (these, by the way, often require the separation of duties, rather than the breaking of silos.)
Despite some initial pushbacks, enterprises that have taken the "DevOps plunge" have shown - consistently - that DevOps practices actually mitigate potential security problems, discover issues faster and address threats more quickly. This has led to InfoSec increasingly embracing automation and DevOps practices more and more, as the "security blanket" that enables - and enforces - security, compliance and auditability requirements. This makes DevOps a resource for InfoSec, rather than a threat.
As a philosophy, DevOps focuses on creating a culture and an environment where Dev, QA, Ops, the Business and other stakeholders in the organizations work in collaboration towards a shared goal. We now see DevOps evolving to DevSecOps - with InfoSec aligning with your DevOps initiative, and security requirements made a key tenant of your DevOps practices - and your DevOps benefits.
The Security Opportunity of DevOps DevOps provides a huge opportunity for better security. Many of the practices that come with DevOps - such as automation, emphasis on testing, fast feedback loops, improved visibility, collaboration, consistent release practices, and more - are fertile ground for integrating security and auditability as a built-in component of your DevOps processes.
DevOps automation spans the entire pipeline- from code development, testing, to infrastructure configuration and deployment. When done right, DevOps enables you to:
Secure from the start: Security can be integrated from the early stages of your DevOps processes, and not as an ‘afterthought' at the very end of the software delivery pipeline. It becomes a quality requirement - similar to other tests ran as part of your software delivery process. In a similar way to how CI enables "shifting left", accelerating testing and feedback loops to discover bugs earlier in the process and improve software quality, DevOps processes can incorporate automated security testing and compliance
Secure, automatically: As more and more of your tests and processes are automated - you have less risk of introducing security flaws due to human error, your tests are more efficient and you can cover more ground, and your process is more consistent and predictable- so if something does break, it's easier to pin-point and fix.
Secure throughout: By using tools that are shared across the different functions, or an end-to-end DevOps Automation platform that spans Development, Testing, Opsand Security - organizations gain visibility and control over the entire SDLC, making the automated pipeline a "closed loop" process for testing, reporting and resolving security concerns.
Get everyone on the same page/pipeline: By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy their updates, InfoSec becomes a key component of the delivery pipeline, and an enabler of the entire process (rather than pointing fingers at the very end!)
Fix things quickly: Unfortunately, the occasional security breach or vulnerability might come up - requiring you to act quickly to resolve the issue (think Heartbleed, for example.) DevOps accelerates your lead time - so that you can develop, test and deploy your patch/update more quickly. In addition, the meticulous tracking provided by some DevOps platforms into the state of all your applications, environments and pipeline stages greatly simplifies and accelerates your response when you need to release your update. When you can easily know exactly which version of the application, and all its components/stack, is deployed on which environment, you can quickly pin-point the component of the application that requires the update, identify the instances that require attention and quickly roll out your updates in a faster, consistent, and repeatable deployment process by triggering the appropriate workflow.
Enable developers, while ensuring governance: DevOps emphasizes the streamlining of processes across the pipeline to have consistent development, testing and release practices. Your DevOps tools and automation can be configured to enable developers to be self-sufficient and "get things done", while automatically ensuring access controls and compliance. For example, as a resolution to the growing "shadow IT" phenomena, we see a lot of organizations establishing an internal DevOps service for a dev/test cloud - with shared repositories, workflows, deployment processes etc. This allows engineers on-demand access to infrastructure (including Production), while automatically enforcing access control, security measures, approval gates and configuration parameters - to avoid configuration drift or inconsistent processes. In addition, it ensures all instances across all environment - no matter whether in Development, QA or production - are identified, tracked, operating within pre-set guidelines, and can be monitored and managed by IT.
Secure both the code, and the environments: By creating manageable systems that are consistent, traceable and repeatable you ensure that your environment is reproducible, traceable and that you know who accessed it and when.
Enable 1-click compliance reporting: Automated processes come with the extra benefits of being consistent, repeatable, with predictable outcomes for similar actions/tests, and they can be automatically logged and documented. Since DevOps spans your entire pipeline, it can provides traceability into traceability from code change to release. If you have a DevOps system system you can rely on, auditing becomes much easier. As you're automating things - from your build, test cycles, integration cycles, deployment and release processes - your DevOps automation platform has access to a ton of information that is automatically logged in great detail. That, in effect, becomes your audit-trail, your security log, and your compliance report - all produced automatically, with no manual intervention or you having to spend hours backtracking your processes or actions in order to produce the report.
DevSecOps is enables organizations to achieving speed without risking stability and governance. Security and compliance controls should be baked-in as an integral part of your DevOps processes that manage the code being developed all the way through to Production. By implementing DevOps processes that incorporate security practices from the start you create an effective and viable security layer for your applications and environments that will serve as a solid foundation to ensure security and compliance in the long run, in a more streamlined, efficient and proactive way.
About Anders Wallgren Anders Wallgren is Chief Technology Officer of Electric Cloud. Anders brings with him over 25 years of in-depth experience designing and building commercial software. Prior to joining Electric Cloud, Anders held executive positions at Aceva, Archistra, and Impresse. Anders also held management positions at Macromedia (MACR), Common Ground Software and Verity (VRTY), where he played critical technical leadership roles in delivering award winning technologies such as Macromedia’s Director 7 and various Shockwave products.