The adoption of DevOps practices, tools and principles is seen by many software development organizations as an essential step in keeping up with the demand to develop and ship innovative applications with greater frequency and agility.
However, integrating security into a DevOps culture is proving to be challenging. The scale of the challenge involved is backed up by a DevOps security report which found that just 46 percent of organizations have incorporated security teams’ practices and tools throughout the entire process.
With cybercriminals continuously looking for ways to compromise security flaws in applications, data breaches are becoming more common. The time has come for more organizations to prioritize integrating security into DevOps to defend properly against threats.
This article describes six noteworthy DevOps security challenges going forward and some best practices to overcome them. Check out this DevOps security resource for more on shifting security to the left in a DevOps landscape.
Security Teams Getting Up To Speed
Security teams have to make compromises if they want to integrate into DevOps, and one of the main challenges is getting up to speed with fast development cycles. DevOps teams produce code more rapidly than with older waterfall approaches, and the tools and infrastructure used evolves rapidly through automation.
Security professionals need to recognize the need to get up to speed with DevOps and attempt to introduce a level of automation in their practices that enables them to keep up rather than slow it down. DevOps-friendly security tools are those that allow security procedures and checks to be conducted in an automated, rapid manner.
Developers tend to prioritize the functionality of the applications they build over watertight code security. Expert security knowledge is lacking, and resistance to learning about security might be high, whether due to esoteric training materials specifically written for application security personnel or inconsistent advice they find online.
Security teams can attempt to overcome this resistance by using tools that integrate into the development environment. Such tools can highlight risky code snippets, giving developers the chance to learn some best practices for software security on the job, without consulting technical manuals.
Security Professionals Upskilling
For security personnel to improve application security in DevOps without slowing down development cycles, there is a need to upskill. Security teams need to become familiar with writing basic code, scripts and making API calls.
This type of upskilling provides the means with which security can be integrated into the development process through automated checks and processes.
DevOps has at its foundation collaborative teamwork between developers and operations. To incorporate security into DevOps, there needs to be a continuation of this collaborative approach with an emphasis on teamwork so that each type of professional learns how to work together and respect the knowledge all parties bring to the table.
Business stakeholders are responsible for ensuring this challenge is met by encouraging a teamwork culture thrives.
Changing Security Roles
With the need to automate much of the security checks applications go through before going live, security professionals need to adapt to the role of the consultant as much as they need to upskill. Once the desired level of automation is achieved, software security professionals can shift towards explaining the severity of particular vulnerabilities and answering questions that developers have about different security issues.
Achieving compliance with regulations such as HIPAA, GDPR or PCI/DSS is vital for a huge number of software development companies, and the consequences for non-compliance are often huge in monetary terms and for business reputation.
The issue is that DevOps is more traditionally concerned with maximizing efficiency with fast turnaround times while security is more concerned with minimizing risks and achieving compliance.
Again, this is where security personnel can attempt to implement automation with compliance controls/audits built into the development pipeline. The data gathered from these automated checks, including access control configurations and logs, provides security with the proof that their controls are working as intended.
Implementing security in DevOps presents a number of significant challenges. Meeting these challenges is the only way forward if organizations want to properly combat the growing problems with application vulnerabilities and data breaches while releasing software with the agility and consistency demanded in DevOps culture.