It’s crucial to mesh security testing into early stages of DevOps projects

Teams must create safer software to meet consumer demand for faster, cheaper applications

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

What is “DevOps” and what does it have to do with mak­ing inter­net com­merce more secure?

Sim­ply put, DevOps is a method­ol­o­gy for speed­ing up the process of devel­op­ing busi­ness soft­ware and IT sys­tems. It involves pro­mot­ing proac­tive com­mu­ni­ca­tion and col­lab­o­ra­tion between tra­di­tion­al­ly polar parts of a company’s tech staff: soft­ware devel­op­ers and the IT oper­a­tions team.

Relat­ed pod­cast: DevOps points the way to need­ed cul­tur­al shifts

The DevOps move­ment began to coa­lesce about sev­en or eight years ago. It is no small coin­ci­dence that, over that span of time, momen­tous advances have been made in how com­pa­nies use cloud com­put­ing. What’s more, a giant door has opened to the Inter­net of Things.

This all adds up to added complexity—complexity that can boost pro­duc­tiv­i­ty and accel­er­ate inno­va­tion to be sure. But this com­plex­i­ty also has trans­lat­ed into count­less new vec­tors for hack­ers to plun­der already porous busi­ness networks.

Mean­while, the vast major­i­ty of orga­ni­za­tions remain at a loss as to how best to address fresh expo­sures spin­ning out of the seem­ing­ly nev­er-end­ing onslaught of added sys­tems complexity.

Chang­ing the process

John Dick­son, Den­im Group principal

A cadre of soft­ware ven­dors and secu­ri­ty experts believe weav­ing secu­ri­ty test­ing into DevOps could be the answer. One of them is John Dick­son, prin­ci­pal at the Den­im Group, whom I met with at RSA 2017, the giant cyber­se­cu­ri­ty con­fer­ence that took place last month in San Francisco.

Dick­son is a lead­ing pro­po­nent of tak­ing a DevOps approach to design­ing and imple­ment­ing the next gen­er­a­tion of busi­ness networks.

DevOps is a way to build and deploy play sys­tems and soft­ware that make it much more stan­dard­ized and faster. It allows for orga­ni­za­tions to essen­tial­ly archi­tect the way that they build and deploy things and do it in an incred­i­ble scale,” Dick­son says.

The prob­lem, he says, is that it is stan­dard prac­tice for secu­ri­ty test­ing of any new busi­ness appli­ca­tion or IT sys­tem to be pushed to the very end of the soft­ware devel­op­ment cycle, just before actu­al deployment.

Par­a­digm shift

But now a few com­pa­nies in the vanguard—mainly in the tech and enter­tain­ment industries—have begun to pull in secu­ri­ty test­ing near the begin­ning of a DevOps project.

What we’re see­ing now, as part of DevOps, is secu­ri­ty test­ing pushed much earlier—to the left of the devel­op­ment cycle,” Dick­son says. At the end of each day, secu­ri­ty test­ing gets added to qual­i­ty assur­ance test­ing and depen­den­cy checks, he says.

It’s ear­ly, Dick­son says. Finan­cial ser­vices com­pa­nies are eval­u­at­ing the inte­gra­tion of secu­ri­ty test­ing into DevOps. “They are a lit­tle more method­i­cal just because of their com­pli­ance and reg­u­la­to­ry scruti­ny,” he says.

It’s clear that use of DevOps to devel­op cut­ting-edge busi­ness sys­tems will grow. It is a sure path do respond­ing to con­sumer demand for faster and cheap­er. Dick­son and oth­er secu­ri­ty experts con­tend it makes good busi­ness sense to bake in secu­ri­ty, as well. Lis­ten to his full argu­ment in the accom­pa­ny­ing podcast.

More sto­ries relat­ed to DevOps and security:
Done right, pair­ing of DevOps and cyber­se­cu­ri­ty coor­di­nates strengths of both
Busi­ness­es must remem­ber shared cloud secu­ri­ty requires shared responsibility
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development