It's no secret that DevOps was designed to address the drawbacks of traditional "waterfall" and "scrum-but" development practices over the years. And while new ways to build software are about as common as unique startup business models these days, it's clear the methodology is at least successful at addressing some long-standing issues. If your goal is to improve interdepartmental communication or enable high-velocity delivery of new software capabilities, there's no shortage of evidence in favor of making the switch to DevOps.
What's less clear is how DevOps and security can work together and, in time, help you build a stronger business. Can the tools, tricks and philosophies introduced by the methodology help businesses harden their digital security practices? If so, how?
Applied to the challenges presented in CA Veracode's "SANS Survey on Application Security Programs and Practices," the answer is resoundingly positive. DevOps's flexibility, combined with its focus on automation, make it easy to confront — or, when applicable, sidestep — many major security concerns, even when the business in question faces idiosyncratic size or scalability issues.
In 2014, according to the SANS Survey, approximately 17 percent of respondents said they didn't have security programs in place. Worse, they said they had no immediate plans to start them.
To be clear, DevOps can do nothing for organizations that have no interest in securing themselves. For others, such as smaller organizations just establishing strong online footprints and businesses that take ad hoc approaches or plan to build programs soon, its early-and-often approach to AppSec is perfect because it places security at the forefront from the very beginning.
When you don't fully understand the concepts behind security, the ad hoc approach sounds fine: a problem arises, you deal with it, and then you move on. DevOps takes that idea to task, however, attacking the conceptual errors that cause security flaws by mandating the inclusion of security from the early moments of the software development lifecycle (SDLC). It also encourages the use of small, multidisciplinary teams, further ensuring security issues are dealt with at their earliest and least expensive stages.
At the conceptual level, in other words, security and DevOps are in lockstep from the very beginning. Considering the fact that security flaws can stem from any stage of the SDLC, that makes it perfect for organizations looking to rebuild their security programs and policies, as well as those looking to build them from the ground up.
Web apps are crucial parts of most businesses' operations, but they also pose big security risks; in fact, 38 percent of respondents called them the biggest digital security risk their respective organizations face.
Here, DevOps and security go hand in hand. Because much of the DevOps philosophy builds itself around the idea of fast iterations, it naturally lends itself to the way businesses build all sorts of web apps, both internal and external. Beyond that, its affinity for automated security solutions helps organizations keep their perimeters safe regardless of the size and number of uncharted areas.
The "fast iteration" part of the equation here is best applied to companies with web apps that need a fair amount of tweaking — those in heavy use, for example. Instead of waiting on multiple small fixes or the introduction of a large fix or feature to roll an update out, rapid iterations mean nipping problems in the bud as soon as you notice them.
Finding the problems is easier, too, thanks to those automated security measures mentioned earlier. The larger your digital perimeter becomes, the harder it is to maintain, which is especially true for bigger companies that tend to utilize the web in more ways and have more departments out of contact with one another. Automated tests can scan for problems within those perimeters, tracking down potential points of entry in both new apps and forgotten legacy sites and apps. Automated solutions from platforms such as CA Veracode's enable similar scanning measures for other apps, including those built by or containing code from third-party vendors, further highlighting how DevOps and security can work together.
Don't write off the marriage of DevOps and security practices. There's a lot of good advice within the methodology, and it'll only get better as companies find improved ways to blend its best practices with their own security measures. While it doesn't address DevOps directly, check out CA Veracode's report. Whether or not you plan to make the switch to DevOps, learning how other companies handle security is a great first step to improving your own measures.
Photo Source: Wikimedia Commons