Click to learn more about author
Anastasios Arampatzis.
DevOps is transforming
how organizations develop software faster. DevOps utilizes agile methodologies
to integrate and streamline the software development and operations process.
The result is faster time to market and a more efficient development process. However,
DevOps processes are challenging the way security integrates with fast
development cycles.
Why Is DevOps Security So Different?
In the traditional,
sequential “waterfall” software development model, security testing was
happening only during the last stages of the process. This could result in
several changes to close security gaps until the product complies with the various
security recommendations imposed by regulations, policies, and standards. Fixing
errors and closing security gaps at the end of the software development
lifecycle made the development process longer and more expensive.
Implementing a DevOps
model requires collaboration between teams throughout the software development
lifecycle. Changes are an integral part of the development process, which results
in producing secure products faster. A continuous integration/continuous deployment
(CI/CD) pipeline makes automation a critical part of DevOps, being implemented at
set intervals.
Challenges for Integrating
Security into DevOps
While DevOps promises to make applications more secure by integrating security into the software development lifecycle from the early stages, this is not the case. Introducing DevOps security presents several challenges.
DevOps Velocity
Security teams must
adjust to the speed of DevOps. Long software development cycles have been
reduced to just a few weeks. Coding is being done by multiple disperse teams so
that not only is code being developed more rapidly, but the infrastructure is
also changing rapidly through automation and agile tools. That severely impacts
the time that security teams have to do due diligence.
Security should not be a barrier to agile software development and needs automation and orchestration tools that match the velocity at which developers are producing code. Without a fully automated toolchain, security can delay the DevOps process by hours or days, breaking the principles and workflows of DevOps.
To achieve this level
of automation, security tools need to integrate into the CI/CD pipeline and
operate at warp speed. If the security tools are DevOps friendly, most security
tasks will be performed automatically in the same pipeline as the one used for developing
apps. Only security issues that require human intervention will be flagged for
developer action.
Instead of security hindering
code production and app development, it needs to be an enabler of safe
products. Even if developers do make some mistakes, these would not be
disastrous. However, tools alone will not transform DevOps into DevSecOps. It also
takes a culture of respect and collaboration between developers and security
teams to make that work.
The Shifting Role
of Security
Security teams and
developers oftentimes have conflicting goals, which creates tension. Developers
want to push their software into the market as soon as possible. Security teams
demand thorough testing and fixing security flaws before releasing anything. In
DevOps environments, this kind of tension is not acceptable. To reduce this
noise, security teams need to shift their roles.
Security needs to
become a consultant to the developers. That shift will benefit security because
instead of being siloed, they will begin working closely with software
developers, and they will develop an understanding of the constraints the
developers are dealing with.
This shifting role
will benefit the automation and velocity of the CI/CD pipeline and will result
in fewer products being rejected as flawed. Productivity and time to market
will be enhanced. The creation of safe security products will also increase the
trust customers place in the organization, which will be translated into
increased revenues.
The shifting role of
security in tandem with the proper security automation tools will minimize human
intervention into DevOps processes. With security being integrated into all
testing phases, any problems discovered will be sent automatically back to the
developer without any further intervention by the security teams.
Security involvement will
only be necessary only to consult the developer of the implications for failing
to fix a security bug. For example, to explain that the lack of strong
encryption with keys used only for production will result in the app being
compromised within seconds of being released.
The Skills Gap
Security professionals also need new skills to better secure apps in a DevOps environment. Software developers are using a variety of technologies and platforms to help them accelerate and innovate, such as IaaS cloud platforms, containers, microservices, and APIs.
Those new skills include the ability to configure these technologies to avoid security gaps that can be exploited by malicious actors. Security teams need to have these skills for automating traditional security controls and integrating them into the development process. As we have touched upon before, integration is no longer a question. The question is how security professionals are going to integrate security into DevOps.
Although traditional
security practices might still work for legacy apps and systems, the migration
of businesses into cloud and DevOps practices dictate the need for security
professionals to acquire new skillsets. This new foundational knowledge will
help them secure assets that lie beyond the traditional corporate perimeter.
New skills will also benefit professionals, making them more marketable and
credible. With the skills gap reported as a major barrier to effectively
implementing security controls in a perimeter-less business environment,
professionals who demonstrate a solid understanding of the cloud and DevOps
will become valuable assets to any organization.
Conclusion
DevOps is causing a major
cultural change in security. Businesses need to embrace this change if they
want to keep competitive and thrive in a shifting business environment.
Security needs to be an ever thought and not an afterthought in DevOps. Failure
to “bake” security into software lifecycle processes will result in producing
insecure applications. Adversaries are always looking for the easiest way to
break into corporate networks and an app with security gaps will make their
life easier.
Security and DevOps
need to overcome the differences separating them and work for the common goal
of producing reliable, friendly, and secure code.
Source: https://www.dataversity.net/why-is-it-such-a-challenge-to-integrate-security-into-devops/
