When I speak with information security organizations faced with the prospect of moving to DevOps, one of the most common fears I hear is that this transition will degrade security of infrastructure and applications. If you’re one of these folks, I understand this fear but you can rest assured: when you do things correctly security will actually improve.
One big reason security benefits in this model is due to improved alignment and tighter feedback loops. You see, DevOps is about creating a unified, engaged team and doesn’t make it easy to fall into the “silo thinking” that traditionally leads to security as an afterthought.
DevOps embraces automation and consistency, which benefits security by allowing you to add automated checks during coding to look for obvious security issues and flag things for human review (such as the linking of new libraries or the introduction of new third-party components that could add risk). This means you will be able to identify “areas of concern” earlier in the development process where they will be much cheaper and more timely to address. Twitter is a well-known advocate of this kind of automation, in which security checks are executed each time code is checked in and obvious security issues are presented to the developer immediately, giving them a chance to correct the problem right away and reducing the likelihood they will repeat the errors. That is a much more effective process than the delayed feedback typically associated with manual code reviews.
Security isn’t just better in the “Dev” portion of DevOps – you can also add automated configuration validation and scope checking into the environment build process to minimize the chance that a fat-fingered error or an out-of-policy change will introduce problems into production.
This sort of automated approach also improves as you learn from retrospectives and post-incident reviews. As you encounter preventable issues, you can often improve your automated checks to increase the odds of catching these issues before they impact production.
Remember that security is an important stakeholder in the DevOps process, and the onus is on you to become a part of the conversation and find ways to add value to the goal of the organization. Also, don’t forget to tap into the community of DevOps practitioners – others have walked this path before you and can help you in your journey.
Finally, if there are specific security challenges related to DevOps that are vexing you (myths you would like to see busted) I’d love to hear from you. Leave a comment below and become part of the conversation.