Securing DevOps: Enough With the Cynicism

Jessica Lavery By Jessica Lavery
January 23, 2017

If an industry continuously talks about how a trend is going to be a hurdle, it becomes a hurdle. Conversely, if an industry views the trend as an opportunity and talks about it in such terms, thinking shifts toward the potential this trend brings for improvement. We are seeing this phenomenon with DevOps, but not in a good way. Security professionals are talking about the hurdles of securing applications in DevOps environments. But the truth is the DevOps culture creates an opportunity for us to improve application security. 

We in the security industry have a tendency to go negative. It’s not completely our fault; we’ve been conditioned to look for the worst-case scenario in an effort to keep our businesses and personal lives more secure. The ability to “find the problem” rather than look on the bright side can be a valuable skill in the battle against cybercrime.

We’ve also become cynical. After years of talking about the importance of issues like strong passwords, only to go on vacation and find the vacation home’s WiFi password is 1234567890, or about secure components only to find that 97% of Java applications have at least one vulnerable component, who can blame us? Being cynical can help security professionals be more in-tune with reality versus the ideal state.

But it’s time to knock it off.

Our tendency to go negative or be cynical means that when a trend like DevOps is introduced, we start hemming and hawing about the absence of security. “Why isn’t it Dev-SEC-Ops?” we cry. Or we fret that the concept of continuous integrations and deployments creates a huge barrier for security by presenting continuous occasions for vulnerabilities to be introduced. And all of a sudden, a trend that has positive implications for development and operational teams, as well as businesses, becomes a threat.

Knock it off, security friends. Rather than look at DevOps as yet another way we are going to be insecure, let’s see this for the opportunity it really is – a chance to build security into a system that values cross-team collaboration, continuous improvements and quality. Continuous improvements and continuous deployments don’t create opportunities for vulnerabilities, they create opportunities for continuous security testing. The collaborative culture of DevOps creates an environment where operational teams, developers and QA all work together in continuous release cycles to produce high-quality, functional code. This makes secure code no longer the domain of one team, but instead the responsibility of all teams, including the development team.

Security professionals have an opportunity to embrace the DevOps culture and create an environment where secure code is part of overall code quality. DevOps provides precise systems and processes for developing applications, and these processes have logical and easy points for when security should be integrated. Injecting security into the processes early on makes DevOps an enabler of security, rather than another hurdle to overcome.

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.