DevOps (a blend of “development” and “operations”) is an approach to software development that has been getting a lot of traction lately. A detailed description of its meaning is not a goal of this article, but in a nutshell, it boils down to greatly emphasized coordination and collaboration between teams responsible for different aspects of the development process (namely, development per se, product management and operations).
If you think about it, this approach is natural in the tech environment that gets more unstable and changeable every day. However, DevOps, like any other innovation emphasizing openness and integration, is often criticized for its perceived lack of security. However, as we are about to see, the idea that introduction of DevOps means the death of information security is either a gross exaggeration or an outright myth. Let’s see why.
DevOps Doesn’t Rely Fully on Automation
Although automation tools like Puppet and Chef play an important role in DevOps, it doesn’t mean that companies using this approach fully forgo the use of dedicated security specialists. On the contrary, such experts are an integral part of the process because automation tools, although excellent for making application deployment and configuration much easier, are not capable of providing the same level of analysis as a full-fledged security expert.
DevOps Allows for Earlier Introduction of Security
Using automation tools like DevOps security and approaches, security team will be able to introduce security earlier in the development process, eliminate the need for later corrections and revisions and, in general, improve the security qualities of the code that gets into production. When they work in close cooperation with all the other teams they can offer and pass suggestions concerning their part of the job when the code is in early stages, and it is still easy to make it an integral part of the whole rather than a later addition, as it is usually done.
DevOps Provides Cross-Functional Integration
Using DevOps allows the team to introduce code analysis tools early during the development process so that the necessary changes are made on the go and not after the deployment, thus decreasing the overall production time and improving code’s security on early stages.
Automation Allows for Early Exposure of Potential Vulnerabilities
Security team can subject early versions of the code to automated attacks to find out potential weaknesses. If these attacks are successful, vulnerabilities can be removed on pre-production stage when it is much easier to introduce changes to the code.
DevOps Gives an Opportunity for Continuous Testing
Normally security does not work as a part of an app – it is rather bolted on after the rest of the work is done, which often creates the need for workaround – suboptimal choices that are introduced because it is too costly and time-consuming to introduce changes into the rest of the code at this stage. When security teams work in conjunction with the rest of the developers from the get go they can continuously and automatically test production environment for weaknesses, decreasing their chances of getting into production code.
As you may see, far from being a security risk, DevOps, when fully embraced, dramatically increases the likelihood of the final product sustaining attacks. It doesn’t simply streamline and speed up development, but improves the security and stability of the final product and makes it less likely to need alterations and revisions later on – in fact, it is exactly what security specialists needed for a long time. By refusing to implement it one refuses to embrace progress – and in software development industry this kind behavior borders on suicidal.