When speed met security they got on very well…why it’s time for the notoriously incompatible DevOps and SecOps to find common ground

by Bill Madell, Senior Systems Engineer at Venafi

Credit: ID 142413856 © VectorHome | Dreamstime.com

The DevOps model has caused headaches aplenty for high tech security professionals in the past but, as uptake of the Agile-inspired methodology accelerates, cooperating to achieve a common end has become an imperative.

The fact that we’re in the era of DevOps would be unlikely to come as a surprise to any Australian organisation which has information technology projects in train.

Respected high-tech research house Forrester declared it would be so back in 2017, when it dubbed that annus ‘the Year of DevOps’ and predicted 2018 would become ‘the Year of Enterprise DevOps’.

Globally, half of all organisations say they now have teams that are fully immersed in DevOps practices – the culture and processes which enable developers to produce and refine high quality software exponentially faster than they were able to do using traditional methods – and local enterprises are embracing the model.

Gartner has tipped public cloud spending will hit $6.5 billion in Australia this year, as enterprises continue to migrate core systems from resource-intensive inhouse data centres to third party, as-a-service infrastructure. Mass adoption of DevOps is a logical sequel, given the methodology is so compatible with the ‘suck it and see’ approach to software the cloud model makes possible.

The great speed vs safety showdown

There’s lots to like about the DevOps model, most notably quick results and ever-quicker roll-outs, in an era when being slow to innovate can put businesses of all stripes at serious disadvantage to the competition.

Unless you’re a security professional, who’s charged with preventing and mitigating cyber incidents and accidents, in an era of rising risks and increasingly serious consequences.

In today’s digitally driven economy, major data breaches have become an unremarkable occurrence. This year alone, in Australia, we’ve seen organisations including Revenue NSW, the Australian Catholic University, Princess Polly, Canva and Australia Post reveal their systems have been compromised. The threat has never been greater and the stakes have never been higher.

In addition to economic losses and damage to reputation, punitive privacy regimes at home and abroad can see organisations slapped with sizeable penalties, should they fail to prevent and remediate serious data breaches appropriately.

Following changes to the Privacy Act in February 2018, the Office of the Australian Information Commissioner, Australia’s privacy watchdog, now has the power to impose fines of up to $1.8 million on organisations which fail to deal with serious data breaches appropriately.

Against this backdrop, it’s understandable DevOps is viewed with a degree of caution or suspicion by security teams. The speed of launch which is one of its chief virtues from a commercial perspective is its greatest flaw, when the model is viewed through a risk reduction lens.

Protecting the enterprise from hackers and cyber-criminals calls for rigorous testing of new services and applications and that’s a Sisyphean task for security professionals if they’re dealing with a team of developers whose job it is to iterate on the fly.

Breaching the divide – automatically

Speed and safety will remain incompatible bedfellows, unless the divide can be breached in a way that satisfies both parties. It can’t be by reversion to old ways of working, not now developers and the enterprises which employ them have had a taste of the flexibility and cost savings the DevOps model affords.

Finding a way to retain the agility while eliminating the vulnerabilities can only be achieved by speeding up security so it’s operating apace with the DevOps process, not trailing in its wake.

Automation of the testing and deployment processes can enable this to happen. Fast, reliable and easy to verify, it can free security staff up to review and eliminate vulnerabilities at a pace that won’t see developers having to cool their heels while it occurs.

Automating the process of obtaining SSL certificates, for example, can eliminate a perennial vulnerability, without impacting on the speed of the DevOps process. That’s a win-win for the coders and security pros – and for their employer which can henceforth enjoy the best of both worlds.

Time to act

As DevOps continues to become the dominant modus operandi for Australia developers, the need to achieve security at speed will become increasingly apparent. Enterprises neglect this issue at their peril. Without stringent measures in place, rapid deployment of new systems could result in a proliferation of vulnerabilities, ripe for exploitation by hackers and cyber-criminals.

Conversely, providing the DevOps and security teams with tools and methodologies that enable them to work safely together at speed can allow enterprises to enjoy the benefits of rapid innovation, without opening the door to unacceptable risk in the process.

Tags forresteraustralia postrisk reductionDevops

Show Comments