I've never been a big fan of reality TV, but I do find idea behind the UK show “I'm a celebrity…get me out of here” kind of amusing.
For those unfamiliar, the show places up to 12 B-list celebrities into a jungle setting where they compete to be crowned king or queen. Bereft of creature comforts or the trappings of fame, they survive by enduring a series of viewer voted trials – usually involving eating exotic food (think insects and spiders). Ok, it's not sophisticated, but it does raise money for charity.
In many ways the role of IT security professionals is analogous to being a contestant on this reality TV show. Think about it – they're increasingly being asked to perform a series of unpleasant tasks while operating in extreme and unfamiliar territory. Like, for example, maintaining compliance and mitigating risk in a DevOps style operation, where software is being built and deployed at dizzying rates.
At first glance, it appears that the goals of DevOps and security are at odds. Whereas DevOps calls for increasing the pace at with software is delivered, security and compliance seeks careful and deliberate oversight to ensure the business isn't opening itself up to vulnerabilities. And, with a mountain of rules and regulations to support, it's not surprising that security could easily end up being regarded as the bottleneck in any release process – killing DevOps benefits faster than you can say “continuous deployment.”
So against this “jungle' backdrop, how can security pros adapt and automate their own processes to support DevOps without the business being eaten alive from non-compliance, hacks and exposures?
I see four essential practices for security professionals:
Engage Dev and Ops as fellow Survivalists in DevOps, the aim is for shared responsibility and accountability. Therefore, security pros should seek to establish relationships with Dev and Ops teams and engage them as active stakeholders in security. This doesn't mean continually enforcing rigid and inflexible security policies, but actually working collaboratively to assign security responsibilities to the team's best positioned to act on them. For example during every application security incident, developers responsible for the actual code ‘implicated' should really be the first group called to help address the problem. After all, they're intimately familiar with the software workings, plus the lessons they learn will help harden future application security.
Show off how security enables DevOps and vice versa
As organizations increasingly embrace DevOps, there'll be many new tools and processes introduced. But as with everything new, these elements could introduce new threats and risk. Rather than see this as a problem, highly collaborative teams work proactively to identify where additional advice and controls are needed and can be applied without causing friction. For example, during development of a new mobile or IoT application, security can provide critical guidance on new threat surfaces, API governance and vulnerability testing. Remember too, however, that new toolsets in areas such as configuration management and release automation provide an opportunity for teams to bake security into the continuous delivery pipeline. This could be as simple as automatically invoking static code analysis during every application build, or providing development teams with comprehensive and fully automated security testing services that can be used repeatedly.
Shift Security processes left into the Dev undergrowth.
As with the traditional development to operations code handballing, the tendency has been to engage security very late in the development process – nothing could be worse. Too often, security teams are seen as the bottleneck police; holding up deployment with snap code audits and “slap on the wrist” compliance checks. But it needn't be this way. Now, DevOps enables security to be baked right into the development mix, right alongside parallel testing. So, as code is produced, automated tests can be invoked to continuously check compliance controls, like separation-of-duties and privileged user access - meaning security becomes established and seen as a key element driving positive and not a despised roadblock.
Recognize that Jungle survival demands special skills
As applications become more complex and the threat landscape more severe, highly skilled security specialists will become highly prized and a critical element of the well-oiled DevOps machine. Don't make the mistake of assuming that developers themselves with a smattering of web application security experience can take on the job (or will even want to), or conversely that existing security pros (more used to maintaining security in legacy applications that infrequently change) can suddenly think like an agile developer. Most likely these skills will need to be developed over time by leveraging the DevOps style collaboration. This means for example, developers inviting security to participate in user story development, stand up meetings and retrospectives. While for security it means gaining credibility with more involved understanding of modern coding practices, providing faster feedback and gaining an active voice in all security related discussions. So, when the proverbial crap hits the fan and a major security incident occurs, security teams will be listened too and their advice followed.
Unlike B-list celebrities craving attention on a pretty dumb TV show, security professionals operate in the real world jungle of risk, compliance, threats and vulnerability. And, as the pace of software development increases, security pros will increasingly need to evolve and adapt their practices according to DevOps principles.