Is DevOps good or bad for security?

Does DevOps give you better security through agility or make development and deployment too fast to secure?

Building compliance and security checklists into the DevOps process stops the security review becoming a bottleneck at the end of the CD pipeline, as well as raising overall quality.

Security teams need “a total mind-shift” to make this work, DeMartine warns. “It’s like the fear of operations that ‘you’re going to make all those changes and you are going to break my environment that’s stuck together with chewing gum and duct tape.’ They have to overcome that fear like operations did. It’s going to be uncomfortable for them, but they’ll get benefits at the end.”

Examples from developers and operations teams of what DevOps has already improved will help that mind-shift, but Bittner cautions, “When we ask a lot of developer teams who have effective continuous integration practices how they engage with their security counterparts, they say they're not ready to have that conversation yet.”

This is ultimately part of the culture change that has to happen as part of DevOps. “The way we're all working today isn't working; it’s not the most effective way.We've set up arbitrary boundaries in orgs between operations, development and security that shouldn't really exist,” says Bittner. “It’s about getting everyone to accept that other teams aren’t the enemy; they’re ultimately trying to do the same thing – they all want the customer to be successful and have good customer experiences.”

CIOs should be prepared for how difficult a change this can be, warns Microsoft’s Miller. “The CIO is going to take heat. This change is a tough one; if you're in the old world and you have custom systems and manual testing, there are going to be problems and you’ve got to be ready. It does demand a certain amount of courage to do CD properly; you might have to rethink your leadership. You certainly have to rethink your process, you have to rethink your expectation from delivery. It's not a trivial path but the payoff is ridiculous. If you’re not doing it, you're risking your business, is the way I look at it now.”

Or as Russinovich somewhat more bluntly puts it, “Devops is coming; it has to have security. Just deal with it.”

Show Comments