Security in DevOps: Aligning Operations and Security for Better Results

Things Only Get Better When They’re Brought Together

For years, software developers and IT operations teams kept their work separate. It seemed to make sense: one team built solutions, and the other team managed the implementation and support. What need did they have to collaborate? Wouldn’t they just be stepping on one another’s toes and causing problems? For many companies, that was the perception, and it often led to the two teams being kept physically apart on different floors, in different rooms, and in the case of larger companies, in completely different buildings. Almost everything about these two teams was kept separate: the KPIs they were evaluated against, customer satisfaction ratings, production timelines — everything.

This was because of the perception that software development and IT operations had separate goals and really didn’t need to be working together. Software development created and built the product, and IT operations rolled it out and supported it post-deployment. This makes sense in theory, but in reality, it typically led to some pretty messy software deployments. Teams weren’t in alignment with expectations. Operations wasn’t aware of the workload they would be inheriting. And development wasn’t required to even consider that.

That all changed a little more than a decade ago, when both teams realized that this separation was holding them back from creating, deploying, and supporting software that actually worked, made a difference, and produced positive results. Thus, DevOps was born.

DevOps is more than a process for building and supporting software, however. It’s a way of thinking about how different teams can come together to synergistically produce a better end result. It’s even been called a cultural movement — a shift from different ways of thinking to a more collaborative, relationship-based approach in which each team considers the other and aligns around individual as well as shared objectives.

Sounds great, right? Don’t get us wrong — DevOps is a great solution to a problem that troubled the software community ever since it first became “a community.” But there’s a challenge that has been growing both in size and significance over the past several years: security in DevOps — a.k.a., DevSecOps.

Why Security in DevOps?

It’s no secret that cybersecurity is an absolute for companies both large and small. The sheer number of incidents and their financial and operational impacts are astonishing. To date in 2019, cybersecurity incidents have accounted for more than $2 trillion in losses according to Juniper Research. That figure is expected to triple by 2021.

This is shocking, but what’s more shocking is the fact that only 10–12% of cybersecurity incidents that occur are reported according to the Internet Crime Complaint Center (IC3) within the FBI. All it takes for a cybercriminal to get started is just $1 to obtain a basic hacking toolkit on the dark web. While more advanced tooling may be needed to inflict significant damage to an organization, it’s becoming more and more accessible.

What does this have to do with security in DevOps? With so many threats circling organizations, it’s necessary to ingrain cybersecurity within DevOps to ensure any technology developed by an organization is aligned with its overall security strategy. It’s also necessary to bring security into the process earlier, as historically security was another major bottleneck to software release. This change in process, thinking, and workflow is now known as DevSecOps.

By integrating security into an agile software development workstream, code is developed with security testing occurring in iterations rather than upon completion of the code. As you can imagine with the latter process, any security issues that appear once code is complete would have to be directed back to engineers and developers to rework. This would create significant time delays in production and also create additional workloads depending on how far back the changes went in the development process. Engineers and developers would have moved on to new projects, which would also now be delayed due to them having to switch gears.

With a DevSecOps — i.e., security in DevOps — approach, the software is built on a secure foundation from the start, with teams communicating and updating along the way. This ensures better alignment with security best practices without causing bottlenecks or other delays in production. And any significant security issues are addressed upfront rather than once a breach or attack has occurred post-release.

Importance of Security in DevOps for CISOs

Whether your organization already has a chief information security officer (CISO) on staff or is looking to add one to the leadership team, implementing a security in DevOps approach is almost assuredly high on their list. There are two key reasons for this.

First is that through a security in DevOps approach, security infrastructure is improved and leads to a better return on investment. The logic here is sound: a better process earlier on leads to a better result later. Any additional resources invested in tooling to better automate key tasks in software development, communication, and project management as well as the additional time spent communicating and planning for improved security in development are well worth it. Considering that the average cost of a cybersecurity breach is $8 million for a U.S. company (the most expensive breaches occur here), the extra costs in personnel, tooling, and time go a long way in protecting an organization.

The second reason is that DevSecOps improves overall operational efficiency for both security and IT teams. Both teams have significant workloads to manage on a daily basis. Repeated adjustments to software, re-testing for security, and dealing with security threats that could’ve been solved earlier take time away from other high-priority tasks that these teams need to be focusing on. Through DevSecOps, IT and security can make more effective and productive use of their time while still delivering on-time and with the security and quality expected of them.

Worried About Security in DevOps? Work With the Experts

In addition to our CISO services, Inversion6 partners with companies to help them strategically align their development and IT teams for better collaboration, production, and of course, security. Improving the workstream between these two groups is only part of the benefit, as strategically, a DevSecOps approach leads to better overall output for the organization as a whole while ensuring all teams are able to move forward with confidence.

Even if your organization doesn’t have software engineers, developers, or programmers on staff, and outsources most development, the benefits of a DevSecOps mindset and approach is still something that can be imparted into other technology deliverables and production schedules. The thinking in DevSecOps applies whatever the technology asset may be — from department-based tooling to enterprise-wide solution rollouts.

Get in touch with our team today to learn more about DevOps, DevSecOps, and how our CISOs can support your organization’s strategic initiatives through a security-focused approach.