DevSecOps: Should Your Business Wrap Security Into the DevOps Process?
DevSecOps, a term originally coined “DevOpsSec” by Gartner analyst Neil MacDonald in 2012, is a new approach to team productivity that combines the efforts of information security and DevOps teams to foster the most productive environment possible. At first, DevSecOps focused primarily on automating code security and testing, but it has since evolved to include more operations-centric controls.
Bringing Security Into the DevOps Process
When brought into DevOps, security practitioners have the ability to script and monitor security on a larger, more dynamic scale. Organizations can also reap the benefits when security teams incorporate the following into the DevOps process:
- Event monitoring;
- Patch management;
- User and privilege management;
- Vulnerability assessment.
Further, when dynamic and static code testing is integrated into the development and promotion life cycle, it enables development and security teams to more quickly detect and fix major code flaws.
How DevSecOps Is Changing Businesses
In the past, many businesses were reluctant to bring security into the DevOps process because traditional security minimizes risk by slowing things down. While minimizing risk is valuable, however, a slower process doesn’t work well for today’s fast-moving, technology-dependent businesses.
IT operations traditionally require thorough testing of every patch before deployment; large cloud environments such as Netflix push hundreds — sometimes even thousands — of code changes per day. And as more organizations move toward this model, security will need to find a way to adapt.
Gartner analyst David Cearley explained to TechTarget that adding security to a company’s DevOps program forces CIOs and their teams to think about security at the start of the software development process, rather than as an afterthought. The article also states that for organizations to establish a successful DevSecOps program, security will need to work alongside operations and development to embed security controls and processes throughout the DevOps process. Cearley notes that CIOs must insist on collaboration between security and DevOps teams by demanding a “unified approach for how we’re going to be able to develop, secure, operate and manage the services we’re delivering to our users.”
Does It Work?
While DevOps is in its early growth phase, security has the perfect opportunity to join the process and align its goals with operations and development to become a valuable member of the DevOps team. The key to successful implementation, however, is for security to be flexible and adapt to the faster rate of change that more organizations need as they jump into today’s cloud environment.