The advantages of moving security into the DevOps lifecycle early are well-studied. For example, Puppet’s 2019 State of DevOps Report details numerous ways that both security and DevOps improve when security is integrated into DevOps earlier (AKA: Shift Left).
However, the flip side of this dynamic garners far less attention: integrating DevOps principles into security. This is easier than you may think, although it has some challenges.
The first step is to get security and DevOps on the same page (or in the same universe.) Merely placing security and DevOps people in the same meetings is not going to cut it. That is primarily because these two groups speak different languages. To help bridge the gap, security must adopt the methodology, structures, and tooling of DevOps into their own process so there can be a common language and practices between the two. Here are five steps to help accomplish that:
1. Using Development Management Tools
Tools like Jira, Trello, Asana, or ClickUp may be intended for development, but they can be easily repurposed to security tasks. The mere use of these tools will force the use of common terminology, like the word “sprint.”
2. Working in Sprints
One of the most powerful aspects of Agile is the concept of breaking down work into time-bound sprints. Working in sprints creates more frequent accountability milestones. More importantly, when DevOps and security align their sprints, they will share a commonality of timelines.
3. Codify Configurations
Apps are built by translating their requirements into code and then refining them iteratively. In turn, codifying security is a powerful step to uniting it with DevOps. It’s true that transforming security from abstract concepts to code is not an easy task, but once it is done, you can iteratively perfect it. It does, however, require the security team to hone their coding skills.
4. Perform Retrospectives
Another Agile concept that is easily fitted for security is the retrospective. Once work is complete, the team goes back and assesses their assumptions and performance. Security teams can use this to assess the effectiveness of controls, trade strategies, and identify lessons learned.
5. Automate, Automate, Automate
A key element of DevOps is automation. While initially applied to the software development life cycle, the goal is to improve overall efficiency and quality. Another way to think of this is that anything you do more than once must be automated. When we automate deployment, testing, configuration or any aspect of software delivery, we significantly improve time to delivery and reduce the opportunity for human error. This same principle applies to security. Most security deployment, configuration, enforcement, auditing, and response is repetitive. It is foolish to think any person could react with the speed and precision of today’s attackers. Security cannot merely consider automation, it must embrace it in every possible way.
But let’s be honest: security professionals have a reputation for resisting DevOps tools because they were not designed for security specifically. While it’s true that many of these techniques are intended to accelerate quality development, with a modest amount of translation they can be integrated to support security projects. The most common pushback is that security has dynamic procedures that do not conform well to Agile methodologies. The reality is it takes very little effort to adapt any security project into a DevOps framework. It is merely a matter of communication. If we all speak the same language or at least learn enough to be able to communicate well, we have a significantly increased chance of continuous success.
For example, once a technology is selected and we have agreed on our architecture for a new security tool for code scanning, the first sprint can focus exclusively on getting the software properly configured. The second sprint moves on to configuring policies. A third sprint focuses on Continuous Integration and Continuous Delivery (CICD). A fourth sprint revisits the configuration for the purpose of automation utilizing the CICD integrations from Sprint 3. Ultimately, the scanning tool will be installed faster and with better alignment simply because we used a similar development cadence. In addition, the stage will be set to minimize any manual support required in the future. Security, in this example, integrates DevOps best practices.
The nuance of translating security to DevOps is a small price to pay for the benefits to be gained. When the application team and the security team are following the same method, they will have a mutual understanding and common discourse that will infiltrate across both teams’ goals and operations. This accelerates decision making, reduces miscommunication, and encourages cross-team collaboration. The impact is one in which the security and DevOps form a mutually beneficial symbiotic relationship.
Because DevOps teams already work with Agile methods, the impetus is on security leaders to initiate this shift. Most security professionals do not start their careers in software development. Therefore, it is likely the team will need some coaching and encouragement to stay on track. Invite DevOps teams into your house. Play in the same sandbox. In organizations that have embraced DevOps culture you will observe an evolution wherein the DevOps and Software Development teams have effectively become one regardless of organizational structure. Security teams can achieve much the same without losing any of the essences of who they are.
Another advantage of the Agile methodology and DevOps is mutual accountability. Given its atomic nature, at the end of a sprint, team members are accountable for their work to each other as well as to their superiors. This increases cooperation, transfer of knowledge; and it keeps work moving forward at a predictable pace. Moreover, this accountability comes more frequently, allowing management to identify a problem sooner. This also has the natural effect of suppressing wasteful tangential projects. Security is a complex problem, and it is easy for less experienced practitioners to become lost in the details, losing sight of the larger mission.
In high-pressure work environments where deadlines accelerate and security threats abound, we need now more than ever to understand each other. If we lack a common language, if we don’t comprehend each other’s intent, if two groups are incapable of following how the other group sees things, walls go up and trust deteriorates. A common language and structure will break those walls down, built trust, and promote collaboration. When security and DevOps unite, both teams are energized to excel.