Bridging the gap: Can DevOps help embed security into app development?

DevOps is designed to bring developers and operations more closely together. Ahead of Cyber Security Live later this month, Nic Fearn asks: Can it also encompass security as well?

In recent years, DevOps has fundamentally transformed the way IT departments develop and maintain software.

Unlike more traditional approaches, such as Waterfall, DevOps is intended to bridge the gap between development and operations teams to help organisations develop, test and release applications more reliably and quickly.

Don't miss 'Continuous Compliance in the Coded Enterprise', one of several practical sessions at Computing's forthcoming Cyber Security Live 2019 event on Thursday 21^st November in London. Attendance is FREE to qualifying IT leaders and IT pros, so reserve your place now, before they all go.

However, while DevOps aims to bring development and operations teams closer together, it's also having a big impact on cyber security departments. By integrating security practices into the DevOps process, organisations ought to be able to identify and mitigate vulnerabilities much sooner.

As a result, security is introduced earlier in the development of applications and everyone assumes responsibility for this. To integrate security into DevOps effectively, organisations must be prepared to adopt new practices and principles into their everyday working routine.

Traditionally, developers build the solution, operations implement it and then security review and advise the other teams on what needs to change

A cultural shift

For many organisations, DevOps is a completely new way-of-working. IT departments are traditionally used to functioning in silos, while DevOps aims to bring teams closer together. Gemma Allen, cloud security solutions architect at Barracuda Networks, says this can be a double-edged sword for cyber security professionals.

"On the positive side, security can now be tightly integrated from the very beginning of a project/solution by removing gaps that enter during handovers between teams, improving efficiency and reducing costs," she says. "The biggest negative could be considered the challenge of the cultural shift required within organisations to be able to take advantage of the flexibility of DevOps and foster the collaboration that makes DevOps so beneficial."

When it comes to integrating security into DevOps, Allen says it becomes easier for organisations to spot and mitigate vulnerabilities. But there are other benefits too. She tells Computing: "Traditionally, developers build the solution, operations implement it and then security review and advise the other teams on what needs to change.

"This process not only leaves security gaps that don't get addressed until towards the end of a project, but can create conflict (and costs) as solutions get redesigned for security near the end of the cycle. By having security resources involved from the beginning, not only can security be tested while the solution develops (increased efficiency) but costs can be reduced as security is not enforcing late redevelopment or manual processes."

Integrating security into DevOps

Where do organisations start, though? The first step, according to Allen, should be getting security and development teams communicating with each other about projects as early as possible. "By making each team a resource for the other projects then they are able to build a relationship where each team can appreciate the others responsibilities and assist each other, the whole process then becomes much more efficient," says Allen.

Adam Louca, chief technologist for security at IT infrastructure firm Softcat, agrees that close alignment between security and development teams is crucial. He takes the view that security needs to live where developers live. He explains: "This could be within a messaging platform, such as Slack, or a CICD pipeline, such as Azure DevOps.

"Organisations need to find technologies that integrate into their own platforms and processes to provide relevant information, highlight risks and recommend mitigation or remediation actions. While traditional cyber security teams need to be involved, they should be supporting the development functions requirements not stipulating them."

Security can now be tightly integrated from the very beginning of a project/solution by removing gaps that enter during handovers between teams

However, not all organisations necessarily have in-house development, operations and security teams. Depending on their size, many outsource these functions. That means they need to be extra vigilant of security risks. Erik Vynckier, interim chief executive at Foresters Friendly Society, says: "We do very limited internal development (only exceptionally) and tend to use vendor software.

"We have some legacy software in use that was coded on-premise and may need to be updated from time to time but would shy away from that practice wherever we can and don't use it for new applications. The development now occurs with external software developers, i.e. no longer in-house. The security of the vendor software is always an issue considered before purchasing."

New practices and principles

The integration of security into DevOps also exposes organisations to a range of new practices and principles. Brian Chappell, director of product management at BeyondTrust, says the most important thing is putting security at the front and centre of any activity.

"Start with security, including involving the security teams early, rather than ending with it. This has to be tempered in that DevSecOps starts with a journey from low security to higher security and probably never reaches a static end, but continues to evolve while maintaining the best, appropriate security," he says.

"By baking this in early and also continuously, security is never a point in time activity, DevSecOps ensures that organisations are setting themselves up for cybersecurity success today, tomorrow and for the future. No more security as an afterthought, or worse still, as an after-breach concern."

Ian Heritage, cloud security architect at Trend Micro, believes that security in DevOps can be captured in three main principles: people, process and technology. "Firstly, people is the involvement and adoption of a new mindset where developers and operations take more responsibility for Security, rather than it being siloed by industry leaders who may not prioritise this," he explains.

Organisations need to find technologies that integrate into their own platforms and processes to provide relevant information, highlight risks and recommend mitigation

"Secondly, process is crucial to identify where and when to apply security without inhibiting agility. And finally, technology is imperative for identifying which solutions can be used to add security gates to the application lifecycle."

He says that by adopting these principles, businesses can fundamentally shift the security conversation to deliver the intended secure by design objective. He continues: "Otherwise, if businesses were to deliver apps only as they are intended for customers, any iterative or fast changes would undoubtedly lead to problems."

Compliance-As-Code is another practice that organisations can expect when adopting DevSecOps. "By defining compliance requirements in a human-readable format, individuals can take these requirements and develop them into code that is automatically deployable," says Heritage.

"It also means that these automatic processes that can be tested, monitored and reported across the full application lifecycle - both pre-runtime and runtime. This coded format allows development teams to report on compliance and exposure at any given time easily."

Looking ahead

As cyber security threats grow in scale and complexity, there's no doubt that DevSecOps practices and principles will continue to evolve. Heritage expects that DevSecOps will increasingly be used as a major focus for the delivery of new apps in a faster and more secure way.

"Companies who embed Security into their pipeline in an automated way will soon see the true value in delivering innovative applications to their customers. This is also where others will come unstuck, having to spend time and effort refactoring apps at great expense when security issues are identified after deployment.

"Traditional Infosec teams need to look at closing the gap by integrating with these teams more closely and work on putting the Security into DevOps rather than another team who are just a gate in the delivery pipeline."

Meera Rao, senior principal consultant at Synopsys, believes that this teamwork will only become more closely integrated. She concludes: "If security teams don't match their velocity with the DevOps teams who are setting the pace, they will find ways to reroute around security.

"Make sure you know how to integrate security within DevOps so that you can support the rapid pace of deployment and reduce risk. This requires the right choice of people, process, tools, and building the culture to make sure DevSecOps has maximum impact."

It couldn't be clearer that cyber crime is one of the biggest challenges facing businesses in today's interconnected world. With attacks growing in volume and complexity, enterprises must take security seriously, and that can only really be done when all technology teams work together and prioritise security.