The adoption of DevOps not only makes a company more agile but also automates processes, introduces shorter testing times and reduces cycle times for long-term and ongoing benefits. In order to achieve these benefits, proper planning must take place up front to ensure that development, operations and QA are no longer separate functional areas that simply pass information between one another and instead become ones who actively work together and collaborate. One area that often gets neglected and excluded until late in the development process is security.
While high-level DevOps benefits are obvious – improved software quality, better customer relations and quicker speed to market – security benefits are often not as obvious especially if it’s not integrated into development during all phases from the start. While decreasing the time to get a product to market benefits the business, it also means that security staff don’t have as much time as before to test for security gaps.
Traditionally, the relationship between IT and security is often strained given that each group has its own objectives and goals. While existing Agile development processes are flexible, their lack of structure has negative implications with regards to security given its nebulous and harder to predict nature. With DevOps adoption, security must not only be included early in development, it must also be integrated with overall business goals throughout, ensuring it is properly addressed at all stages with more structure and predictability.
Further, DevOps changes the way security is viewed, from being a process that is considered at the end of a build to one that is weaved throughout development from the beginning to end. This requires a shift in the thinking of development teams who are used to the more fluid approach of Agile.
With this in mind, how can a business ensure proper introduction of DevOps and the associated successes while also ensuring security remains an integrated centerpiece?
An organization must first gain support from senior company management for DevOps adoption to succeed. The optimal way to achieve this is to frame DevOps as something that solves a business problem and is thus in the best interest of the business as a whole. DevOps adoption must be pervasive throughout the organization so that staff at all levels and all departments see the company-wide mandate that senior management has approved and actively supports.
This includes the introduction and integration of security in the planning stages and throughout development with constant input from senior security staff. It also includes an understanding by senior management that security is a necessary and critical aspect of DevOps adoption. This requires a strong DevOps team leader to properly communicate and justify security-related expenses to the team and especially senior management so that the related costs are understood and supported.
DevOps adoption must also include the empowerment of staff. When implementing new technology, a common mistake involves a lack of input from the people whose buy-in is crucial in the planning phase – namely all staff – and in particular security staff. Gaining the buy-in of staff in all functional areas must include approaching them early in the process to ask for their input.
There must also be an assurance that the end result is that DevOps adoption addresses and resolves the areas of the business that require the most work and improvement. Again, security concerns must be integrated during all phases of DevOps adoption. With security being discussed and accounted for at every stage, there is no chance the project reaches its completion only for security staff to raise red flags that the remaining DevOps groups didn’t notice earlier in the process.
By weaving security throughout DevOps adoption, the company improves its existing security processes while security becomes aligned with overall business goals ensuring its inclusion in decision-making in all functional groups moving forward.
Everything you need to know about outsourcing technology development Access a special Introduction Package with everything you want to know about outsourcing your technology development. How should you evaluate a partner? What components of your solution that are suitable to be handed off to a partner? These answers and more below.