Building Security Into DevOpsBy Adrian Lane
We are excited about this research paper, because we are excited about what the DevOps approach has delivered to many organizations, both small and large, already. And even firms who have only recently started down the path toward a full DevOps process already enjoy the advantages of streamlined testing and build processing with continuous integration. Our focus for this research was on how to embed security and security testing into DevOps, leveraging automated workflows to implement security testing, and providing fast feedback to developers when something is amiss. We offer a basic overview of DevOps, followed by several perspectives on how security folks and developers can work together to engineer security into a DevOps pipeline.
From the paper:
Some folks who suggest moving to DevOps meet internal resistance, fresh off the failures to implement Agile processes. When development teams of the past decade tried to go ‘Agile’ they often ran smack into the other groups within their own firms who remained steadfastly un-Agile. This resulted in more of the same in inter-group friction and further compounded communication and organizational issues. This dysfunction can have a paralytic effect, dropping productivity to nil. Most people are so entrenched in traditional software development approaches that it’s hard to see development ever getting better. And when firms who have adopted DevOps talk about deploying code every day instead of every year, or being fully patched within hours, or detection and recovery from a bug within minutes, most developers scoff at these notion as pure utopian fantasy. That is, until they see DevOps in action – then their jaws drop.
We know plenty of you are already tired of hearing the term ‘DevOps’, and think this is just the newest overhyped flavor of Agile. Heck, even one of our associate analysts has scoffed at the claim that DevOps will have a pronounced effect on development and operations. But you don’t need to look far to see incredible success stories. When it comes down to it, DevOps is merely a way to reduce friction and leverage the full potential of your infrastructure. You can – and we know some organizations have and will – screw it up. But part of the beauty of this approach is that you quickly learn from mistakes – you can back them out and continue move forward. And it’s not magic fairy dust – it requires a radical change in organization, months of hard work to automate basic daily chores, and years to mature the pipeline. The benefits are not felt overnight – you only make small improvements on any given day, but they snowball over time. Especially paired with cloud computing, which provides granular API-level control over infrastructure, DevOps enables dramatic improvement.
Our thanks to Veracode for licensing this content so we can bring it to you free of charge!
Here is the paper: Building Security Into DevOps (PDF).