How to Maintain Security when Rolling out DevOps - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:00 AM
Kiran Chitturi, CTO Architect, Sungard Availability Services
Kiran Chitturi, CTO Architect, Sungard Availability Services

How to Maintain Security when Rolling out DevOps

DevOps may be up and running for your enterprise. Taking the time to integrate security will keep it that way.

While DevOps is relatively new to mainstream enterprises, DevSecOps is even newer. And arguably it is just as important. While DevOps is designed to move fast, that can open up vulnerabilities in security that are easily preventable with the right controls.

Development and security teams need to understand each other's goals and requirements. Some might see security professionals as purveyors of “No,” the ones tapping the brakes as the DevOps team pushes forward. Security’s job is to best manage risk. To do so, the security team needs to be integrated into the DevOps process.

In many organizations, this is a whole new process that needs to be worked out, and different organizations require different structures. Working security professionals into the process can be done a couple different ways. One model makes the global security function a part of the program management ecosystem. The other integrates security as an essential member of the development organization. There are pros and cons to each, of course. 

Image: Shutterstock
Image: Shutterstock

Whether your organization is rolling out DevOps or you’re already off and sprinting, here’s how to weave security into the process.

1) Security as part of the program management ecosystem: Pros

In this model, the program management function has a major role, ensuring that security is at the table, and trying to confirm that the requirements are documented and met. Security then performs evaluations and identifies what critical issues must be addressed. The advantage is that the security office can uniformly address the condition of a broad number of products that the company delivers. 

2) Security as part of the program management ecosystem: Cons

The disadvantage is that the security issues are typically listed on a slide for review by executives and paid attention to by one focal person in the development organization. As a result, the slides that go to executives become a roadmap for “what we have to fix” more than a prescription for “what we need to ensure the product adheres to before it ships.”

3) Security as a member of the dev organization: Pros

If the security team is part of the development organization, they do need to maintain close contact with a global security office, but they have an opportunity to be much closer to the development of the product. That means they’re working closely with feature teams, and identifying stories that must be planned into the sprints. When there are assessments to be run, those can’t wait until the end. They need to be planned into the earliest sprint that makes sense, and the resultant set of issues then becomes technical backlog to prioritize into the next sprints. The objective is, of course, products that are secure for customers, that have known assessments that can hold up to customer audit, especially for (but not limited to) federal customers. 

4) Security as a member of the dev organization: Cons

The downside is that the local security team needs to strongly connect to the global security office. Each security team that’s part of a development organization needs to rise to act as a single brain across all products; organizations can’t have any variance with respect to standards, tools, assessments, and adherence to mandates.

5) Where to include security

To enable a "continuous security" mindset, security should be covered by automated security-related test cases in the continuous integration/continuous deployment process over the following phases:

  • Build phase: use code analysis
  • Image creation and hardening: automate this phase as part of the delivery pipeline
  • Infrastructure creation phase: test using tooling like rspec/serverspec
  • Integration phase: complete sanity checks for internal/external end-points, and ensure any new workloads don’t break any security policies
  •  Regular operations: use continuous monitoring and near-real-time automated enforcement

6) Securing dev and QE labs

Though they might be forgotten, the final dimension is development and quality engineering. Both have labs in which they ensure all functionality works, scales, performs, and so on. Those labs are outstanding targets for intrusion, and security has a strong role in the evaluation and remediation of the lab environment.

Just as bringing DevOps into the fold can introduce new vulnerabilities, new systems can introduce new blind spots. But improved communication and fewer workplace silos can help address issues faster. No matter which method works best for your organization, it’s essential to have security baked into the process. DevOps may be up and running for your enterprise. Taking the time to integrate security will keep it that way.  

Kiran Chitturi
Kiran Chitturi

Kiran Chitturi is a CTO Architect with Sungard Availability Services with over 16 years of industry experience. He specializes in cloud infrastructure and DevOps transformation. Prior to joining Sungard AS, he was instrumental in Capital One’s cloud transformation journey and in setting up AIG’s next-generation incident response automation architecture. He has a Bachelor of Science in Computer Science from SREC, Coimbatore, India, and a Masters in Computer Science from the University of Texas at Arlington.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll