In today’s fast-paced business environment, the division of DevOps and SecOps must be bridged to create DevSecOps
Now that the “X-as-a-service” model has taken hold, enterprise infrastructure, integration and solution delivery has accelerated rapidly. Waterfall methodology has given way to the Agile framework of rapid, continuous development and delivery. This necessitates the use of automation to speed QA and change management.
In the midst of all this change and activity, a deeper goal is to make security and compliance part of the dev process from the ground up. For this to succeed, teams must take on a DevOps mindset regarding these aspects—one that places a priority on fast delivery and automated workflows.
The tricky part is that DevOps and SecOps/compliance thus far have had different priorities.
DevOps focuses on things such as policy management, monitoring, code inspection and risk mitigation. SecOps needs to anticipate risk and ensure controls are retroactively mitigating compliance and security risk. The inherent conflict comes from a traditional view that security review should come after software development as a final check, but instead ends up becoming a fractious process of reconciling necessary controls into the release cycle.
Because there is a natural tension between DevOps and SecOps, as they have different charters and cultures, bringing about the idea of shared responsibility can be difficult. DevOps can be seen as more of a do culture (Atlassian calls this a “do-ocracy”) and SecOps can be seen as a control culture and they are inherently in conflict. To fulfill the promise of teaming for shared responsibility, DevOps and SecOps should align on three key objectives: collaboration, communication and integration.
The Benefits of Collaboration in DevOps
Emphasizing collaboration between an organization’s operations, development, testing and support teams is what DevOps is all about. The focus is on reducing time to market and improving agility through rapid development and rollouts. However, before the process of development can begin, you need to start with a plan. At the planning stage of development is where security and compliance can start to be incorporated.
Organizations need to build a system of record that can implement and orchestrate the SecOps portion of the development plan. Policies and controls can be widely disseminated across product and engineering teams to document the intention of controls, define their implementation and enable teams to collaborate with comments and feedback in one hub.
Closing the DevOps Communication Gap
There exists a communication gap between the security function and the rest of the dev organization, and it is critical that security practitioners bridge that gap. Compliance and security can be viewed pejoratively by other teams because people don’t understand them or see their relevance to users’ lives. But this, too, can be changed.
For instance, it’s better to talk about a security risk in terms of project delays and unplanned, unscheduled work rather than talking about a breach or a vulnerability. When speaking to operations teams, it’s better to talk about availability and user privacy requirements as correlated with mean response time or system uptime rather than a data breach. To succeed in a world that’s moving at the speed of DevOps, security groups need to be able to articulate control requirements in both the language and tools that DevOps lives in, such as Jira and GitHub.
Integrating Sec Into Dev
For security practitioners, the most radical process departure here is often the high degree of automation and workflow tools in DevOps. The critical success factor for integrating security and development operations is to make control implementation easy and clear for developers to follow. For example, if the team is working toward a SOC2 security certification, then a clear control framework broken down into tasks and issues will ensure a smooth integration of security into the dev cycle. A SOC 2 attestation will also require evidentiary verification that controls are implemented throughout the software development life cycle (SDLC), including release cadence. The final critical piece to achieving readiness for a security certification is to have integrated risk assessment, controls gap analysis and audit-ready evidence for your observation period in one central place.
DevSecOps: Greater Unity, Stronger Security
In a world where everything is offered “as a service,” the pressure is on to iterate quickly and non-stop. To make this possible, the DevOps methodology relies on the speed that comes through automation. But security is sometimes overlooked in favor of speed. That means security needs to automate, as well, to keep pace with continuous delivery. The division of DevOps and SecOps must be bridged to create DevSecOps.
Understanding the benefits of this collaboration will go a long way toward easing the transition, as will learning how to communicate those benefits in a language that appeals to all stakeholders. What will enable the collaboration is an orchestration and demystification of security and compliance for the entire dev team. When DevSecOps is straightforward and simple for developers to integrate security, there won’t be a reason not to, and your product and organization will be more secure.