alphaspirit - Fotolia
There's a fear with DevOps that it could mean bad, bad things for information security. The increase in automation, the decrease in cycle times, and cross-functional teams are a death knell for security, right?
Not exactly. While it's fair to say that the concept of standalone security teams doesn't really fit in with this relatively new paradigm, that doesn't necessarily mean that good security practices don't have a place in DevOps. In fact, in some ways, the security of your product stands to be improved by DevOps.
The most obvious benefit in DevOps security is that teams can build in protections earlier in the dev cycle, putting production code in a better spot to handle real-world attacks. Just like any other aspect of DevOps, security testing and simulated attacks can be automated and inserted as part of the development process; dynamic application security testing technologies in particular can help with this approach. Code analysis tools can also be used early on to detect weaknesses and address them prior to deployment.
External threats, however, aren't the only way that the security of your product can be compromised. A 2016 SpiceWorks survey found that IT pros ranked user error highest among risks to IT security. The good news, though, is that DevOps security tools and testing are exactly the fix that businesses need to prevent slip-ups that could expose them to risks. Configurations can be standardized into templates, for example, and increased automation of certain basic tasks can help make typographical errors become a thing of the past.
That all said, just because DevOps could, in theory, be advantageous to security doesn't mean that's actually the case: an October 2016 HPE survey reported that 90% of the security professionals surveyed stated that integrating application security into the development process has become more difficult since their organizations deployed DevOps.
Sherrel Roche, a senior market analyst for service research at IDC Asia-Pacific, says that although enterprises are aware of looming security threats, they continue to take a reactive approach and only work with security teams after a security breach.
"DevOps is premised on rapid cycles, and integration of security into the process is bound to add to the complexity and lengthen the cycles," says Roche.
Maybe that’s why there doesn't appear to be much of an impetus to address DevOps security issues. In a June 2016 IDC global DevOps study, only 40% of the organizations surveyed said that security was part of their DevOps practice or project planning cycle.
So the question, then, isn't whether or not security can win in the age of DevOps, but whether or not enterprises are willing to let it. And according to Roche, businesses really have to (and better) want it.
"There is bound to be natural resistance to it," Roched said. "But in the interest of building more secure applications, it is a necessary step that needs to be taken through conscious effort."