Nearly 1,200 security professionals recently attended the DevOps Connect: DevSecOps Day at the 2018 RSA Conference at San Francisco’s Moscone Center.
Now in its fourth year, DevSecOps Day featured presentations and panel discussions on the role of security in the world of DevOps. DevOps thought leaders, security experts, and vendors shared success stories, insights, and challenges they faced in their journeys to implement secure DevOps practices.
The common theme throughout the day was that security is becoming everyone’s responsibility. The security teams are starting to get more involved in the development processes while developers are starting to integrate security directly in their code. This theme, or variations of it, were echoed throughout most discussions, demonstrating a shift we are seeing in the market.
Here are a few of my key takeaways from the DevSecOps Day sessions.
Start small and focus on fundamentals
One reason there is so much friction as organizations try to secure DevOps processes is that security tools and requirements often slow down the speed of development. The efforts of security teams to enforce compliance and protect organizations from threats often negatively impact the ability for developers to deliver on business goals and objectives.
For example, the speed of deployments can decrease dramatically as the application security team introduces more rigorous security tests. On the flip side, developer teams prioritizing functional requirements and operational efficiency over security while building applications leave organizations exposed to risk. Finding the right balance between security and development performance is, therefore, the challenge many organizations face as they move towards secure DevOps.
A good approach to find this balance is to start with small teams and focus on security fundamentals. Security implications should be considered from the onset, starting with the tool selection and configuration phase, and continuing throughout the application design and development phases. When security is built-in from the beginning, the development and operations teams can focus on delivering high-quality software and helping organizations achieve business objectives instead of remediating security issues.
This level of DevOps process maturity requires considerable collaboration between security and development teams, which is why starting with small teams consisting of people who understand security and DevOps processes is important. Once the right balance is achieved and security tools and processes align with the speed of DevOps, the concept of secure DevOps can be expanded to the broader organization.
Automation is your friend
Automation makes organizations more efficient and effective. One of the main objectives of DevOps automation is to ensure that feedback is rapidly available throughout the development cycle. The sooner the feedback is available to development, operations, and security teams the quicker a corrective action can be taken.
Most of the discussion on automation at the DevSecOps Day centered around security controls, testing, and code deployments. What stood out to me was a notion that automation can sometimes help with adoption of secure DevOps processes.
Incorporating security measures when developing code adds time and effort to release cycles. However, organizations can reduce the overall development cycle time by automating their security testing and deployment processes. Automation also helps surface security issues sooner, further reducing the rework and the effort needed to deploy code in production. Therefore, organizations can achieve both the reduced time to market and more secure DevOps processes by introducing security along with automation.
Implement Security as Code
Most of the organizations moving towards DevOps practices are familiar with the concept of Infrastructure as Code. The ability to codify infrastructure allows companies to apply development best practices to infrastructure management, including tracking versions and changes, performing testing prior to deployments, and enabling collaboration between developers and operations around infrastructure configuration and provisioning.
Security as Code takes a similar approach to managing security controls. Developers codify their infrastructure or deployment specifications, and the security team checks them for potential security issues or conflicts with security policies. This allows developers to rapidly deploy applications while ensuring that the underlying infrastructure meets the security requirements. The Security as Code method ensures that infrastructure security is validated before any code is written. As an added benefit, it also facilitates a tighter collaboration between the development and security teams which moves companies further towards mature, secure DevOps practices.
The DevSecOps day at RSA proved not only that security is a topic that DevOps community already takes seriously, but also that it will continue to take center stage as more companies transition to DevOps.
To help companies during this transition, Centrify announced a set of solutions that centralize and automate access controls to developer toolchains and underlying infrastructure, enhance application security, and enable logging and auditing of privileged activity. These solutions are based on Centrify Zero Trust Security through the power of Next-Gen Access, which combines Identity-as-a-Service (IDaaS), Enterprise Mobility Management (EMM) and Privileged Access Management (PAM) to protect DevOps environments.
To learn more about how Centrify is securing DevOps with Zero Trust Security, visit https://www.centrify.com/solutions/secure-devops/.