DevOps has transformed how many organizations handle software development. At the same time, it is challenging organizations on how to best manage digital risk. It’s important to be strategic about approaching DevOps security.
Here are three key tips regarding what to do and what to avoid when implementing security in the DevOps life cycle.
- Holistic approach. Consider the end-to-end value stream. Your product is not just the source code; it is the packages, images and configurations running in a production environment. Security needs to be addressed throughout that value stream, from the architecture and source code, to third-party components, build pipeline and operational environments.
- Shift left. Security issues are a ticking time bomb. The cost of fixing them multiplies several times over at each step of the value stream. Implementing processes aimed at identifying potential security issues as early as possible improves the flow by addressing issues at the point of origin.
- Optimize for speed. Security controls that significantly slow down value delivery will not survive for long. Automate whatever can be automated. As autonomy is being recognized as one of the cornerstones of efficient engineering, the role of security professionals becomes more of an enabler, with ultimate responsibility for product security residing with Engineering and Operations. As much speed is a challenge requiring us to rethink how we do security, it is also a blessing. When a newly discovered security issue can be addressed and the fix deployed within a day (or hours!), security exposure is reduced significantly.
For a security program to be effective, it has to be closely aligned with organizational goals. Companies are using DevOps to increase velocity and deliver value to customers more quickly. Therefore, it is essential that security processes support those goals to secure the software delivery value stream for safe digital innovation.