Why security in DevOps is essential to software development

Andrea Danti - Fotolia

This article is part of our Essential Guide: An initiation into infrastructure automation tools and methods

Why your DevOps process should have security baked in

To minimize risks to your cloud applications, make sure your security strategy accounts for each phase of a DevOps project.

DevOps refers to the automation of an application development process. It applies agile techniques to app deployment and operations, eliminating the need for cumbersome manual processes. And since DevOps is often used to support private and public cloud platforms, security must be systemic to the DevOps process, and to the cloud applications it creates.

Securing DevOps and cloud applications is different from traditional IT security models. In the traditional model, organizations use security tools to create a perimeter around enterprise applications and data. But to ensure effective security for new cloud applications, organizations need to build security into every step of the development process, and into every part of the application. This is a fundamental change for organizations deploying DevOps -- and many don't figure it out until it's too late.

Making security systemic to cloud application development will initially cost organizations more, in terms of time and money. However, once an application security model has been established, it is easy to operate and maintain. For example, an organization could create a cloud service that provides credit check data, using an identify access management system for verification. While creating that service with built-in security will take longer than creating a service without it, organizations will make money back on the back end, considering the lower risk of breach, and the ability for their security system to easily adjust to new requirements.

To adopt this approach, make security a key part of each step in your DevOps process, including these five phases:

  • Continuous development
  • Continuous testing
  • Continuous integration
  • Continuous deployment
  • Continuous operations

Each of these five phases uses a set of automated tools that can move the application through the entire process to operations. The goal is to give developers the ability to make apps ready for operations on the cloud with the click of a button.

As mentioned above, security should play a key role in each of these five DevOps steps. For example, continuous development provides developers with the tools and libraries they need to design and build secure applications. Continuous testing introduces security testing into the automated application testing process, ensuring the applications provide a certain level of security. Security should also be a part of application integration and deployment.

Operations is key. Developers might build an application securely, but if they don't operate it in a proactive way, the security won't provide the needed protection -- at least not for long. For example, to provide developers with data points around trending risks, such as Internet-based attacks, organizations should establish a feedback loop, and integrate it within the DevOps process. This allows developers to react to the trends proactively, and even build additional protections into the DevOps model.

If organizations properly roll out DevOps and manage their cloud platforms, their applications will be much more secure than traditional applications that run within the enterprise. This is hard for many to believe, but if you look at the successful hacks in our recent past, almost all of them involved traditional on-premises systems -- not the cloud or DevOps.

Get the most out of the DevOps process by setting up an automated system that allows you to remain proactively vigilant -- now and well into the future.

Next Steps

Deploying a rugged DevOps model for app security

Exploring the key DevOps roles in an enterprise

Using PaaS to strengthen cloud app security

Security tool releases show DevOps gaining maturity

Dig Deeper on IT Log Management and Reporting