VP of Engineering, Anitian
The advantages of moving security into the DevOps lifecycle early are well-studied. For example, Puppet’s 2019 State of DevOps Report details numerous ways that both security and DevOps improve when security is integrated into DevOps earlier (aka: Shift Left).
However, the flip side of this dynamic garners far less attention: integrating DevOps principles into security. This is easier than you may think, although it has some challenges.
The first step is to get security and DevOps on the same page (or in the same universe). Merely placing security and DevOps people in the same meetings is not going to cut it. That is primarily because these two groups speak different languages. To help bridge the gap, security must adopt the methodology, structures and tooling of DevOps into their own process so there can be a common language and practices between the two. Some steps to accomplish that include:
However, let’s be honest, security professionals have a reputation for resisting DevOps tools because they were not designed for security specifically. While it is true that many of these techniques are intended to accelerate quality development, with a modest amount of translation they can be integrated to support security projects. The most common pushback is that security has dynamic procedures that do not conform well to Agile methodologies.
The reality is it takes very little effort to adapt any security project into a DevOps framework. It is merely a matter of communication. If we all speak the same language or at least learn enough to be able to communicate well, we have a significantly increased chance of continuous success.
For example, once a technology is selected and we have agreed on our architecture for a new security tool for code scanning, the first sprint can focus exclusively on getting the software properly configured. The second sprint moves on to configuring policies. A third sprint focuses on Continuous Integration and Continuous Delivery (CICD). A fourth sprint revisits the configuration for the purpose of automation utilizing the CICD integrations from Sprint 3. Ultimately, the scanning tool will be installed faster and with better alignment simply because we used a similar development cadence. In addition, the stage will be set to minimize any manual support required in the future. Security, in this example, integrates DevOps best practices.
The nuances of translating security to DevOps is a small price to pay for the benefits to be gained. When the application team and the security team are following the same method, they will have a mutual understanding and common discourse that will infiltrate across both teams’ goals and operations. This accelerates decision making, reduces miscommunication and encourages cross-team collaboration. The impact is one in which the security and DevOps form a mutually beneficial symbiotic relationship.
Because DevOps teams already work with Agile methods, the impetus is on security leaders to initiate this shift. Most security professionals do not start their careers in software development. Therefore, it is likely the team will need some coaching and encouragement to stay on track. Invite DevOps teams into your house. Play in the same sandbox. In organizations that have embraced DevOps culture you will observe an evolution wherein the DevOps and Software Development teams have effectively become one regardless of organizational structure. Security teams can achieve much the same without losing any of the essence of who they are.
Another advantage of the Agile methodology and DevOps is mutual accountability. Given its atomic nature, at the end of a sprint, team members are accountable for their work to each other as well as to their superiors. This increases cooperation, transfer of knowledge; and it keeps work moving forward at a predictable pace. Moreover, this accountability comes more frequently, allowing management to identify a problem sooner. This also has the natural effect of suppressing wasteful tangential projects. Security is a complex problem, and it is easy for less experienced practitioners to become lost in the details, losing sight of the larger mission.
In high-pressure work environments where deadlines accelerate and security threats abound, we need now more than ever to understand each other. If we lack a common language, if we don’t comprehend each other’s intent, if two groups are incapable of following how the other group sees things, walls go up and trust deteriorates. A common language and structure will break those walls down, built trust and promote collaboration. When security and DevOps unite, both teams are energized to excel.
Previously published at https://www.anitian.com/closer-than-you-think-bridging-the-devops-security-gap/