As the heir apparent to Agile, DevOps brings a lot of the methodology's traits to the table — including some of its flaws.
Or, more accurately, its supposed flaws: As CA Veracode has shown, the security concerns associated with Agile are avoidable, and it's the same way with DevOps. In the context of rapid deployment, i.e., the main tentpole of DevOps philosophy, that can mean a few things. Take a look at how a product under a rapid-deployment schedule can still be secure, and how DevOps helps enable that.
To understand how security and DevOps work together, you must first know how connected DevOps and rapid deployments actually are. Whether you're still on a traditional release cycle, or you deploy a gazillion times a day like all those hotshot Internet start-ups, you're aware that DevOps largely exists to make Agile-style rapid deployments speedier — a business-friendly goal that boosts all sorts of metrics execs love to see flourishing.
The alleged problem with this is the notion that speed kills. Traditional thinking says, when release schedules are restructured to promote speed, security is generally the first thing to suffer. When you're sending out multiple releases a day, after all, it becomes borderline impossible to verify everything that hits the gates. That's especially true when traditional thinking is paired with traditional security testing measures. But in many ways, DevOps actually enhances security to match its inherent speed.
In a lot of ways, DevOps creates speed by asking developers and designers to think about everything faster — security included. Where other ways of thinking fail to include security personnel on early design planning and discussion, DevOps wants all critical personnel (where relevant) there from the very beginning, allowing them to nip possible conceptual errors in the bud before they have a chance to manifest themselves in the designs, or worse, the product itself.
This early inclusion is a prime example of the teamwork and interplay DevOps encourages, and it brings benefits that spread throughout the product's lifecycle. This intimate approach to building a product ensures future iterations see the same level of security-minded share and — from a long-term perspective — teaches developers and security folks a little more about one another's jobs. Whether you want your engineers to be more security minded or your security people to make more practical requests, the focus on multifunctional players can be a huge boon.
Then there's the fact that, in many ways, the ability to deploy rapidly is a strong security feature in and of itself.
Think about it: Despite everyone's best efforts, breaches and security errors do happen; scary as it sounds, practical security is more about stopping the flaws of the past from reoccurring than it is theorizing ways to prevent the attacks of the future. When a novel attack does happen or a known exploit slips through the cracks, being able to send up a new, secure iteration of the same product with haste is the kind of thing devs and security personnel alike would love to have.
Another DevOps rule straight from the Agile handbook can be understood simply: If you can automate it, do automate it. Instead of manually repeating a process — and thus subjecting it to the specter of thoughtless error every time it's undertaken again — putting the computers to work on as many things as possible helps promote the rapid deployment part of the process and, if handled properly, the security part as well. What's more, it frees up your employees for more important tasks, such as collaborating with their multidisciplinary teams on the next product iteration.
It also allows those teams to test code earlier in production, reducing the so-called "window effect": Instead of wasting good code to repair an error that slipped by, early catches mean early fixes and thus improved efficiency, faster time to market, etc.
To be clear, there's still a place for security personnel in the DevOps world — the methodology just prefers to use them where they're needed most. That's the sort of move that enhances security from every angle, not to mention a big reason behind DevOps's explosive popularity of late.
DevOps is coming. Sooner or later, it's fair to assume your office will adopt some of the practices the movement preaches. Whether you're looking for better teamwork or faster time out the door when it happens, keep in mind that security doesn't have to suffer in the name of speed — no matter what conventional knowledge says.
Photo Source: StockSnap