To keep up with the demands of working in the cloud – and do so securely – we need to incorporate security practices into the application development and deployment pipelines. The term “DevSecOps” describes this process. Unfortunately, the transformation to DevSecOps can lead to friction between Security and DevOps teams. The good news is that it doesn’t have to be this way. Enterprises can adopt practices that reduce conflict and help make the journey to DevSecOps successful. Purpose-built security tools can also empower DevOps teams to make this transition.
Importantly, the information and conclusions presented here are based on conversations I have had with DevOps, Security and DevSecOps leaders from the finance, retail and media industries. Those experiences have given me insight into the concerns these teams tend to have, as well as information and ideas about how they can be addressed.
Innovative products and services catering to end-user needs and preferences require applications to be deployed with great agility, frequency and scale. Consequently, development teams leverage cloud and container platforms in conjunction with a DevOps practice to meet business objectives.
Security teams, tasked with protecting customer data and apps, have a hard task under normal circumstances. The adoption of highly elastic and scalable infrastructure – frequently deploying resources from hundreds to a thousand times a day – puts a tremendous burden on security teams that are ultimately unable to meet these requirements.
DevSecOps, when done right, has the ability to inject security in a cloud native manner to provide vulnerability management, help with compliance, and offer misconfiguration and runtime protections. However, security and DevOps teams have often been at odds with each other in their efforts to achieve their respective objectives.
Both DevOps and Security teams can obtain a better understanding of the reasons that contribute to prior failed attempts at DevSecOps. Implementing certain steps can also enable a successful transition.
The term “culture” is often used to describe people, process and tools that enable organizations to accomplish business objectives. However, it has been hard for many organizations to embrace and acknowledge the cultural barrier that exists between security and DevOps teams. It is important to understand these differences before discussing their consequences. Some major differences are:
DevOps Culture |
Security Culture |
Security inhibits innovation and agility. | Does not trust DevOps to get security right. |
Security is hard to adopt. | Needs to ensure compliance and protection. |
Security is not a DevOps function. | Do as I say in order to sanction your application. |
This mismatch precipitates undesirable outcomes for the enterprise as a whole:
There is no silver bullet or switch that can be flipped to adopt a DevSecOps practice. The transformation to DevSecOps is a process of continuous improvement, not an end in itself. Improved communication, collaboration and, most importantly, empowerment can help bridge the cultural divide.
Good communication helps to put in place a process that enables security teams to clearly articulate the desired outcomes, such as full visibility into vulnerabilities, compliance failures and misconfigurations prior to applications being deployed into production. Conversely, it will help DevOps teams to recognize that it's far “cheaper” (in terms of breach and reputation) and efficient to address these issues in the CI/CD pipeline as opposed to on a running production environment. Establishing consensus and enabling a continuous process of improvement dramatically reduces the attack surface.
Better collaboration among people allows both teams to partner to converge on a strategy to minimize the attack surface. For example, security teams desire that cloud misconfigurations and critical vulnerabilities be detected and addressed when a pull request (PR) is made. DevOps teams are willing to sign up for this requirement, as it is much easier to address these issues while a feature is being developed, aided by instant feedback (with data provided as a pre-check failure in the PR), as opposed to being bolted on after deployment (far more complex to accomplish).
Empowerment through tools ensures that security teams provide DevOps teams with the right tools to take ownership for the security posture of their applications. Providing security tools for DevOps dramatically increases the willingness and ability of DevOps teams to inject security into their pipelines. For example, security needs to provide tools to:
Taking these steps is a recipe for success in the transformation to DevSecOps, wherein:
To learn more about bridging the divide between security and DevOps teams, you can watch our Cloud Native Live virtual summit on-demand.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.