It’s crucial to mesh security testing into early stages of DevOps projects
Teams must create safer software to meet consumer demand for faster, cheaper applications
By Byron Acohido, ThirdCertainty
What is “DevOps” and what does it have to do with making internet commerce more secure?
Simply put, DevOps is a methodology for speeding up the process of developing business software and IT systems. It involves promoting proactive communication and collaboration between traditionally polar parts of a company’s tech staff: software developers and the IT operations team.
Related podcast: DevOps points the way to needed cultural shifts
The DevOps movement began to coalesce about seven or eight years ago. It is no small coincidence that, over that span of time, momentous advances have been made in how companies use cloud computing. What’s more, a giant door has opened to the Internet of Things.
This all adds up to added complexity—complexity that can boost productivity and accelerate innovation to be sure. But this complexity also has translated into countless new vectors for hackers to plunder already porous business networks.
Meanwhile, the vast majority of organizations remain at a loss as to how best to address fresh exposures spinning out of the seemingly never-ending onslaught of added systems complexity.
Changing the process
A cadre of software vendors and security experts believe weaving security testing into DevOps could be the answer. One of them is John Dickson, principal at the Denim Group, whom I met with at RSA 2017, the giant cybersecurity conference that took place last month in San Francisco.
Dickson is a leading proponent of taking a DevOps approach to designing and implementing the next generation of business networks.
“DevOps is a way to build and deploy play systems and software that make it much more standardized and faster. It allows for organizations to essentially architect the way that they build and deploy things and do it in an incredible scale,” Dickson says.
The problem, he says, is that it is standard practice for security testing of any new business application or IT system to be pushed to the very end of the software development cycle, just before actual deployment.
But now a few companies in the vanguard—mainly in the tech and entertainment industries—have begun to pull in security testing near the beginning of a DevOps project.
“What we’re seeing now, as part of DevOps, is security testing pushed much earlier—to the left of the development cycle,” Dickson says. At the end of each day, security testing gets added to quality assurance testing and dependency checks, he says.
It’s early, Dickson says. Financial services companies are evaluating the integration of security testing into DevOps. “They are a little more methodical just because of their compliance and regulatory scrutiny,” he says.
It’s clear that use of DevOps to develop cutting-edge business systems will grow. It is a sure path do responding to consumer demand for faster and cheaper. Dickson and other security experts contend it makes good business sense to bake in security, as well. Listen to his full argument in the accompanying podcast.
More stories related to DevOps and security:
Done right, pairing of DevOps and cybersecurity coordinates strengths of both
Businesses must remember shared cloud security requires shared responsibility
To get ahead of threat curve, boost security during software development