DevOps bridges the gap between Development and Operations to accelerate software delivery and increase business agility and time-to-market. With its roots in the Agile movement, DevOps fosters collaboration between teams and streamlines processes, with the goal of breaking silos in order to 'go fast'.
It also provides a huge opportunity for better security. Many of the practices that come with DevOps, such as automation, emphasis on testing, fast feedback loops, improved visibility, collaboration, consistent release practices, and more, are fertile ground for integrating security and auditability as a built-in component of your DevOps processes.
DevOps automation spans the entire pipeline, from code development, testing, to infrastructure configuration and deployment. When done right, DevOps enables you to:
Secure from the start
Security can be integrated from the early stages of your DevOps processes, and not as an ‘afterthought’ at the very end of the software delivery pipeline. It becomes a quality requirement – similar to other tests ran as part of your software delivery process. In a similar way to how CI enables 'shifting left' (accelerating testing and feedback loops to discover bugs earlier in the process and improve software quality), DevOps processes can incorporate automated security testing and compliance
As more and more of your tests and processes are automated – you have less risk of introducing security flaws due to human error, your tests are more efficient and you can cover more ground, and your process is more consistent and predictable – so if something does break, it’s easier to pinpoint and fix.
By using tools that are shared across the different functions, or an end-to-end DevOps Automation platform that spans Development, Testing, Ops, and Security – organisations gain visibility and control over the entire SDLC, making the automated pipeline a 'closed loop' process for testing, reporting, and resolving security concerns.
Get everyone on the same page/pipeline
By integrating security tools and tests as part of the pipeline used by Dev and Ops to deploy their updates, InfoSec becomes a key component of the delivery pipeline, and an enabler of the entire process (rather than pointing fingers at the very end!)
Fix things quickly
Unfortunately, the occasional security breach or vulnerability might come up – requiring you to act quickly to resolve the issue (think Heartbleed, for example.) DevOps accelerates your lead time – so that you can develop, test and deploy your patch/update more quickly. In addition, the meticulous tracking provided by some DevOps platforms into the state of all your applications, environments, and pipeline stages greatly simplifies and accelerates your response when you need to release your update.
Enable developers, while ensuring governance
DevOps emphasises the streamlining of processes across the pipeline to have consistent development, testing, and release practices. Your DevOps tools and automation can be configured to enable developers to be self-sufficient and 'get things done', while automatically ensuring access controls and compliance. For example, as a resolution to the growing 'shadow IT' phenomena, we see a lot of organisations establishing an internal DevOps service for a dev/test cloud – with shared repositories, workflows, deployment processes etc.
This allows engineers on-demand access to infrastructure (including Production), while automatically enforcing access control, security measures, approval gates, and configuration parameters – to avoid configuration drift or inconsistent processes. In addition, it ensures all instances across all environment – no matter whether in Development, QA, or production – are identified, tracked, operating within preset guidelines, and can be monitored and managed by IT.
Secure both the code, and the environments
By creating manageable systems that are consistent, traceable, and repeatable, you ensure that your environment is reproducible, traceable, and that you know who accessed it and when.
Enable 1-click compliance reporting
Automated processes come with the extra benefits of being consistent, repeatable, with predictable outcomes for similar actions/tests, and they can be automatically logged and documented. Since DevOps spans your entire pipeline, it can provide traceability from code change to release. If you have a DevOps system system you can rely on, auditing becomes much easier. As you’re automating things – from your build, test cycles, integration cycles, deployment and release processes – your DevOps automation platform has access to a ton of information that is automatically logged in great detail.
That, in effect, becomes your audit trail, your security log, and your compliance report – all produced automatically, with no manual intervention or you having to spend hours backtracking your processes or actions in order to produce the report.
By implementing DevOps processes that incorporate security practices from the start, you create an effective and viable security layer for your applications and environments that will serve as a solid foundation to ensure security and compliance in the long run, in a more streamlined, efficient, and proactive way.
Anders Wallgren, Chief Technology Officer at Electric Cloud