DevOps has become so popular as a development approach that adoption rates saw a growth of 70% from 2017 to 2018. The methodology offers a number of advantages that benefit a comprehensive range of businesses or organizations in all different sectors, including faster development cycles and more iterations. However, the agile nature of DevOps comes with its challenges.Security is often seen as one of the main challenges within DevOps to overcome. Development teams that incorporate DevOps as a development method sometimes find themselves at odds with security teams. Typical questions arise surrounding the use of DevOps in producing secure and reliable code (and apps). Can security really be a part of such a rapid development cycle? Or does it get overlooked?
One of DevOps’ primary goals is to help businesses quicken development cycles while improving quality throughout the process. The continuous integration and continuous delivery approaches, CI/CD, are not designed for the usual waterfall-like approach of security testing. The aim of the strategies is to make small, quality code integrations rather than integrating everything in one fell swoop and risking mass deployment issues which require huge amounts of firefighting.In fact, doing it the old way—adding security testing as a step at the end of every cycle—is no longer efficient and does not work well with CI/CD. It then becomes an issue as security testing becomes a bottleneck in a DevOps development environment. So, how can we maintain the security of our apps without falling back to our old ways?The answer is integration. The security team needs to be involved in the CI/CD workflow from the beginning. It may be difficult to test for security on the first iteration, but subsequent cycles should become much easier to manage. More importantly, testing and policy reviews can go seamlessly with app development and automated testing throughout the development pipeline as DevOps encourages.
Automated and streamlined testing is a big part of the DevOps methodology. The founding premise being that testing in production is harder and often more complex than testing in pre-production. The DevOps Handbook offers over a large chunk of pages on how to initiate best practices in pre-production for improving quality as part of the process and diminishing constraints from approval steps. Iterations don’t have to be completely finished before they are tested for possible errors and faults. This is one of the reasons why teams implementing DevOps are able to reach higher performance levels with 46X more frequent software deployments than competitors and 440x faster lead time for changes.Cloud security testing, on the other hand, takes longer to complete. A comprehensive application security testing (AST) routine can take weeks to complete. Rather than doing AST at the end of the development cycle (in one go), it is actually better to automate AST.Divide security testing parameters into smaller chunks and deliver a more secure code from the beginning. Adding security standards and parameters to the automated testing workflow also allows the security team to maintain a secure app without waiting for breaches to happen.With the standards in place, the main purpose of security testing is checking for security policy violation. The testing can also be configured to look for (and discover) vulnerabilities early in the development process. A more secure development model can be created.
The CI/CD workflow allows for new codes and iterations to be deployed rapidly. The development team focuses on a small set of features or improvements with every development cycle, allowing them to be more agile when faced with challenges. In fact, DevOps is really simple by nature, which is why it works really well as a development method.The cybersecurity team being a part of the CI/CD workflow is a fantastic start in combining dev, ops, and security into one rapid deployment unit. The entire organization can focus on smaller iterations designed to deliver more value to users. From the organization’s standpoint, the approach is good for business too. However, that doesn’t mean security testing can only happen within the CI/CD workflow.With every new iteration added to the production server, security testing can happen on the fly and in a more continuous way. Rather than checking the code before every release, the security team can test the running app or service continuously once it is on a production level. Combined with AST, the continuous security review works better in preventing bigger issues.When a package is deemed insecure after implementation, for instance, the security team can act quickly and suggest the necessary changes directly to the development team. Since both teams are parts of the DevOps environment, these changes can be committed just as quickly. In a worse scenario, an unsecured package can be rolled back temporarily as well.
The approach we’ve been discussing in this article is actually being developed and implemented in more and more organizations. Development and security teams have one common goal, to deliver value to users, so there is no reason why the two teams cannot work closely together to achieve that mutual goal.DevSecOps could be the next big thing in tech and our development landscape. Compliance and security policies will soon be resolutely embedded in development best practices. A more consistent security and development process can be crafted, allowing for each iteration to be more mature and secure before it is deployed.Another major benefit of employing the methodology is that all work within the development pipeline in DevOps is visual, ticketed, and, hence, highly traceable, which means DevSecOps isn’t a far-fetched idea at all. The addition of security as a key component of the development process will only make this development approach more powerful and effective than ever.To read more about DevOps best practices, check out our article: DevOps Methodology and Best Practices to Optimize Your IT Value Stream.Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.
Kiran is a Lead DevOps Engineer at Ibexlabs. With extensive knowledge in managing AWS services like EC2, VPC, Route53, S3, SES, RDS, ELB, Cloudwatch, and IAM he has been an integral part of client projects.
