DevOps is often a culture of rapid development and frequent rollouts—a culture and mentality that make it very easy to ignore security. All of the traditional challenges of trying to apply security after the fact are exacerbated exponentially in an environment where code is constantly being updated and implemented.
So, can security and DevOps coexist? The answer is “yes.” Actually, the answer is “it is imperative that they do.”
There was a very interesting session at the RSA Security Conference related to this issue presented by Andrew Storms and Eric Hoffmann, “Secure Cloud Development Resources With DevOps.”
Storms and Hoffmann stressed that trying to apply old-fashioned thinking to cloud services or DevOps is a recipe for disaster. They recognize that developers are smart and will find ways to circumvent security tools if they get in the way of efficient coding. They also reiterated that security has to be integral to development and can’t simply be bolted onto the finished product.
They suggested incorporating a shared responsibility model alongside the DevOps culture. There are challenges to coordinating this across a company, and it requires leadership and a sense of shared vision and common objectives. But if it is implemented properly, it gives a sense of ownership at the individual level—a sense of ownership that fosters a sense of pride and responsibility and leads to more secure development practices.
The two discussed a number of suggestions for developing and enforcing policies to help drive security throughout the development process. They also talked about using these ideas to reign in “shadow IT”—the rogue servers and software employees set up without the knowledge and consent of IT.
Above and beyond the ideas that Storms and Hoffmann presented, companies that are embracing such a culture should also adopt threat-modeling techniques and employ formal secure development practices. Some guidance and resources in this area can be found in Microsoft’s Secure Development Lifecycle. Making security an integral part of the development process ensures that a DevOps culture can truly flourish.