CYBER SECURITY + DEVOPS = TRUE LOVE

2016 has seen increased digitalization fuelling the DevOps shift in earnest, but at the same time the challenges are becoming increasingly clear, particularly for those of us who are security experts. How do we make sure we don’t get left behind in the rapid pace of developments?

2016 feels a bit like the year we began to see regarding serious shift towards DevOps – strategies aimed at bringing software development and IT operations closer together. I think Gartner’s prediction was right on the money when they said 25 percent of all global IT companies would implement this shift in 2016. And when you think about it, it’s not all that strange. If there’s anything that sparks people’s interest, it’s concepts that involve making products faster, or shortening the time to market.

Now that IT companies are finally starting to use DevOps strategies and even beginning to adapt to the culture that DevOps represents, the challenges are coming to the fore. One such challenge is how those of us working with cyber security should adapt our approach. What tools do we need to have to hand in order to actually keep up with the rapid pace of developments?

As an IT security specialist, I was initially sceptical about the whole DevOps movement and felt that upping the tempo would basically mean we’d be left behind. After all, security tends to be something people barely have time for as it is – what would it turn into? But over time I’ve begun to view it as a major opportunity to change the way we work with security and make it more effective.

Are you the kind of person who’s been saying for years that “security has to be in place right from the start”, but never really managed to get it to turn out that way? Then the shift to DevOps might just be your chance to shine. One of the benefits of DevOps is that the functional input of all stakeholders is taken on board at an earlier stage (including information security of course), to then be managed in an automated way. This guarantees predictable and short release cycles.

Unfortunately, this is not a way of working that many of us are used to. But I believe an integral approach in the development process is absolutely essential. In order to facilitate cooperation, I usually encourage everyone involved – with responsibility for security, development, administration, quality and testing – to use the same kinds of tools and processes as much as possible.

The shift to DevOps doesn’t just mean a seamless way of integrating in the development process. If security specialists also embrace the same tools and automate in the same way as others, we will not only be able to incorporate simple tasks into software but also introduce more controls during the development process.

It could involve including our code analysis tools and controls in the development process and getting securer codes as a result. Codes that ultimately reach the production environment. We can continually subject codes and systems to automated attacks during the development phase, allowing problems to be identified much earlier on in the process instead of at that final testing stage prior to commissioning.

At the end of the day, DevOps and the increased automation that comes with it enables me to focus on the bigger and more complex issues – and that’s where security experts can be most useful.