Building Security Into DevOps Processes

August 20, 2020 Ruth G. Lennon

Building security into DevOps

The pressure on DevOps 

DevOps teams are under tremendous pressure to understand and implement security principles while meeting software delivery deadlines. 

There is an expectation that DevOps practices will enable the business mandate of managing speed and security. We know security is a top business concern because of the increasing number of regulations and standards. Internally, however, it is largely viewed as a low-level technical activity because of its association with software development processes and operations. 

While business stakeholders often support training programs, the execution of these programs are often rushed in an attempt to comply with regulations that require a minimum perceived level of security understanding.

For DevOps teams, this is in addition to the existing pressure to release products as fast as possible while maintaining existing quality standards. 

Bringing DevOps and security together for proactive security

We talk about "building security in" as a proactive way of managing security concerns. It is about “shifting left” and injecting security requirements early in the application development lifecycle and tracing them into a production environment. 

This is in contrast with the traditional approach of testing for security only after a software or product has been built. 

“Building security in” implies a common understanding of security across development and operations. Rushing headlong into a discussion on security controls without a base level awareness and understanding of security concepts simply adds to the confusion. 

This is often expressed as security slowing down DevOps teams, or security misunderstanding DevOps challenges. We need to bring our teams in a systematic and deliberate way, starting with their current knowledge.

Grow gradually through collaboration

When building out a security program, start with the fundamentals. 

Focus on where your teams are today. If they have limited knowledge about security, create an environment where they can talk as peers with other teams. You can create a security awareness program or use security techniques like misuse cases that are functionally based. Sustain the momentum by creating appropriate metrics that the DevOps teams can track against. Keep the metrics that are aligned with business priorities and current skills. Eventually, DevOps teams should start to recognize common security patterns in the application lifecycle.

Once your DevOps teams understand the fundamentals of security awareness and have a bit of experience applying that to their work, you can start introducing increasingly mature concepts.  Introduce DevOps teams to public material made by OWASP, NIST, and ISO once they understand security terminology.

Improve collaboration and involve your security teams in educating the DevOps teams. Create metrics that are related to business priorities like PCI or GDPR compliance. That will provide the business with valuable information around the security posture of its software and product portfolio. It will also demonstrate the business value of DevOps in the context of risk management.

As more DevOps teams get comfortable with security, it may be a good idea to capture security knowledge in a cross-functional repository. This will allow you to integrate knowledge from different teams and gain valuable security insights. Establish metrics that reinforce the responsibility of keeping the knowledge up-to-date as a reflection of security becoming everyone’s responsibility. 

Bringing a change in DevOps culture

In the end, building a security program intentionally helps ensure a solid foundation for the future. The goal of a security program is to eventually bring a change in the DevOps culture where teams proactively reach out to security experts and offer their opinions about strengthening the security posture.

You will then have a culture that will help scale the reach of security engineers and ensure developers and operations teams are aligned with business performance.

About the Author

Ruth G. Lennon

Ruth Lennon has 20 years of experience as a lecturer in the Department of Computing at the Letterkenny Institute of Technology, Ireland. Ruth's research interests focus on enterprise-scale systems with particular focus on DevOps and Cloud technologies. She has been a member of many technical panels and committees including NSAI/TC 2/SC 11 on distributed systems and ISO/IEC JTC 1/AG 3 "Open Source Software". Ruth is a member of the working group developing the P2675 DevOps standard. Ruth’s goal in DevOps is to ensure that security and performance are seen as core to development projects just as it is in configuration projects. Ruth has worked on security projects in the area of threat modeling and security reviews. In addition, Ruth is a member of the ACM, ACM-W, IEEE, IEEE-WIE, and the IEEE Computer Society. Ruth also chairs the ACM-W Europe.

More Content by Ruth G. Lennon
Previous Article
Accelerating Digital Transformation in Banking: Why a Strong Security Program Is Key
Accelerating Digital Transformation in Banking: Why a Strong Security Program Is Key

Building security into a bank’s digital transformation plan enables financial institutions to move at the s...

Next Flipbook
Securing Your Data in the Cloud: Threats and Mitigation
Securing Your Data in the Cloud: Threats and Mitigation

Cloud migrations offer flexibility and many benefits to organizations, but, it also raises concerns about d...

Find out how our solution builds security and compliance into software.

Get a Free Demo