The organizational friction between a business need to rapidly innovate. Development's desire to execute quickly and IT Operations' mandate to maintain reliability now has an accepted path to resolution in the practice known as DevOps. The collaboration of software developers and operations practitioners to automate software delivery and infrastructure changes enables the rapid innovation required by today's cutting-edge businesses. The historic separation of these departments which resulted in friction and delay is steadily being replaced culturally and programmatically by the DevOps approach. Unfortunately, one crucial department was initially left off the new team, Security.
The steady rise of malicious activity mandates a defensive in-depth approach to security and secure code is the base on which everything else sits. Security, therefore, must be brought into the same agile collaboration with Development and Operations, lest it bring the process to a screeching halt. A new, three-way “marriage” has come about in the world of IT - DevSecOps. DevOps and Security teams actively collaborate as peers, rather than working in the traditional requestor/approver relationship.
Organizations must redefine how operations, engineering and security can be brought together to achieve unparalleled success. DevSecOps can propel forward-thinking organizations by doing something simple – fostering collaboration of seemingly contradictory teams to align their disparate goals into a singular effort.
There's a good article by Jason McKay, SVP & CTO at Logicworks, in the Spring edition of Alert Logic's Zero Day magazine that talks about the challenge that security teams face when trying to keep up with "the speed of cloud".
For many companies, the process to fully integrate security teams into faster development cycles can be a tough transition. The solution to this problem being offered up is DevSecOps. How do companies prepare for making this transition? The first step is to expose security teams to DevOps technologies and methodologies. Not surprisingly, many of the technologies that facilitate DevOps, including automation, are the same tools that will enable security teams to maintain governance without compromising speed.These tool sets - reference architecture or templates, configuration management, and deployment automation, among others - will actually provide security professionals with more power to control infrastructure security in the cloud than they had in a traditional environment.
Organizations that are rapidly adopting public cloud and can't afford to spend months automating templates and configuring management scripts, outsourcing this work is a smart solution for these companies. Outsourcing doesn't replace internal education and team building, but it provides an extra layer of "insurance" to make sure configurations and security protocols are being maintained while in fluctuation.
According to the website DEVSECOPS.org, this is the manifesto security teams should work/live by as part of the DevSecOps movement:
Through Security as Code, we have and will learn that there is simply a better way for security practitioners to operate and contribute value with less friction. We know we must adapt our ways quickly and foster innovation to ensure data security and privacy issues are not left behind because we were too slow to change.
By developing security as code, we will strive to create awesome products and services, provide insights directly to developers, and generally favor iteration over trying to always come up with the best answer before a deployment. We will operate like developers to make security and compliance available to be consumed as services. We will unlock and unblock new paths to help others see their ideas become a reality.
We won't simply rely on scanners and reports to make code better. We will attack products and services like an outsider to help you defend what you've created. We will learn the loopholes, look for weaknesses, and we will work with you to provide remediation actions instead of long lists of problems for you to solve on your own.
We will not wait for our organizations to fall victim to mistakes and attackers. We will not settle for finding what is already known; instead, we will look for anomalies yet to be detected. We will strive to be a better partner by valuing what you value:
Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists
Whether the DevSecOps transition takes place during cloud migration planning or after friction between security and DevOps teams have already developed, it is a crucial step towards properly securing your cloud resources.