Frank Catucci discusses how incorporating security is the next step in the evolution of DevOps
TechTarget – Link
As the evolution of DevOps continues, security measures are being integrated into product development processes. Will DevSecOps live up to its promise for enterprises?
DevOps has been a staple at Actifio Inc. since its founding in 2009.
But much like the evolution of DevOps has continued throughout the past eight years, so has the tech company’s version of it. In fact, Actifio has moved into the next iteration: DevSecOps.
The company has shifted security testing to a much earlier stage in product development, said Actifio CSO John A. Meyers. It also increased automation and gave developers, solution architects and product managers access to testing tools, too. The result: DevSecOps has spread responsibility for security to roles beyond just security professionals.
“That really embodies this movement — to get people who aren’t traditionally in this security role excited about security and find potential security risks early in the cycle,” Meyers said.
A growing number of organizations have implemented DevOps capabilities in recent years. The 2017 State of DevOps Report from Puppet and DevOps Research and Assessment states that 27% of respondents work on a DevOps team, up from 16% in 2014.
Now there’s a movement to continue the evolution of DevOps — the software engineering practice that has development and operations teams working together with the goal of building better products — by incorporating security into the mix.
The goal now is to put security on equal footing with the development and operations pieces, enabling teams to not only deliver better products but to deliver better, more secure products — and still develop them quickly.
“As we’ve automated more of the IT ops pieces, and removed the repetitive tasks and made them automated, and as we’ve moved to continuous integration, now there’s a move to improve testing so organizations can vet code before its gets merged,” explained Keith McCloskey, CTO of Blackstone Federal, a D.C.-based federal IT consulting firm focused on engineering, design, agile and cybersecurity.
McCloskey said one of the ultimate goals is to remove barriers and friction between teams in the organization, while also integrating security into existing IT practices.
“We want both dev and ops to work with security, and that’s a good idea,” McCloskey said. “If the concept of securing electronic assets is something that should be integrated into everything that IT does, then the expectation is that DevSecOps will lead to a more secure environment.”
How that evolution of DevOps works in day-to-day business, however, can be complicated because organizations will have to think and work differently, according to DevSecOps experts.
“As with anything, the actual implementation will determine how effective it is,” said Ajay K. Gupta, program chair of computer networks and cybersecurity at University of Maryland University College.
First, DevSecOps requires a shift in mindset.
Many organizations have pushed security to the end of the development process, testing code at the end of the build cycle as a final check. Executives who want to change that and move to DevSecOps instead must sell their teams on why integrating security is better.
“It’s not something that happens organically; it requires people to buy into it,” Meyers said.
Questions about speed, not quality
Although proponents generally agree that DevSecOps can increase security profiles, they aren’t on the same page when it comes to security’s impact on an organization’s ability to use DevOps for speed and agility.
Some said the increased focus on security could increase the length of time it takes to deliver a product; others said shifting security to earlier in the process would generally have either a positive impact on speed or no affect at all.
“Tightening one bolt at the end [of the process] doesn’t take that long. But when you’re doing it throughout the process, it might take longer,” Gupta said.
On the other hand, Catucci said he sees how DevSecOps could save time and money. Identifying security issues while products are in development may seem like it slows pieces of the process down. Instead, it actually shortens the overall time to release because there’s less need for time-consuming, security-related backtracking or reworking at the end, he said.
Built-in security also allows organizations to more easily identify and fix vulnerabilities in the components they lift from a precompiled library, Catucci noted.
“The earlier you identify risks in the process, the more efficient it is,” he said.
Meyers agreed, saying his company has found that to be the case as it embraced the DevSecOps principles.
“It has made a huge difference in our ability to deliver secure code,” he said. “The number of issues found has dropped dramatically since we’ve put more effort into secure development. And, I think, in the end, it saves us time and money because I don’t have to fix something that’s already out the door.”
It's not plug-and-play. There are certainly some plug-ins and platforms available to help, but you're still going to need the expertise to leverage those and to make it an actual functioning process.
director of application security and DevSecOps, ImagineX Consulting