DevOps and SecOps: Resolving the Rift Between Development and Security
Helping DevOps and SecOps teams work together in harmony for better security
Developing a new application or services can be an exciting, energizing task for a business. We get caught up in the whirlwind of innovation and push hard to get it out to the general public as fast as is possible. Traditionally, developers created and launched software without much thought to the security of the technology—for one thing, it didn’t seem to matter as much, and for another, security measures can be time-consuming.
But as data encryption becomes ever more important in the eyes of the consumer, the gaps left by underdeveloped security can have serious negative effects. To combat the complacency some companies display regarding security, it must be integrated at every level of development.
Development and Operations
DevOps is the collaboration between developers and network operators which seeks to ensure a product is launch-ready. In bygone times, developers had little interaction with any other departments, but as the industry has diversified they have had to integrate to a much greater degree.
Also, as networks have had to work harder and now require more resources, it has become necessary for network operators to enlist the developers to identify potential flaws. This means that software needs less testing and run smoother as a model.
The DevOps team is often duty-bound to getting to the launch as quickly and smoothly as possible, with a view to ensuring usability and quality. However, this emphasis on speed of delivery often continues to leave security as an afterthought.
Security and Operations
Before software businesses hired dedicated teams to security, the responsibility often fell to network operators as well. This can be a significant conflict for the network operator, whose job, after all, is to keep the network going. Fighting potential security threats in addition to this is an inefficient model.
So as security began to take center ground in network operating, businesses began to create specific teams whose duty was to guard the network against breaches. Working alongside operators to make use of the combined knowledge, these teams became known as SecOps.
Ensuring security requires a detailed and thorough approach to network operation. Often this means that the networks suffer from a certain amount of latency, as security protocols take up processing power.
How to Heal the Rift
For many of those who work in DevOps, there is a view that those who work in SecOps are working at cross-purposes with them. But users value security, and if developers don’t pay attention to security at every step of the way, the best software in the world is likely to obtain a bad reputation. Like SecOps, it is worth finding points of confluence to layer security within the development.
This can be done by picking individuals from each team, conduits who can learn the language of the other and share important knowledge. Attempting to close the easier security gaps early on the development and building from there, both SecOps and DevOps can work together as the project progresses.
To combat security shortfalls, a software company can make use of open source tools. Cross-training can ensure that both SecOps and DevOps understand the use of these tools, such as automated security checkers and continuous integration tools.
With a policy of constant communication between both departments, a company can transform a “development first” culture. The goal is to ensure that security is seen as a fundamental aspect of the product, and building an integrated DevOps and SecOps team will dispel the notion of security as an afterthought.
