The Path to Secure DevOps Initiatives: Bridging the Gap Between Security and DevOps

The growing demand for faster and more efficient software development brings DevOps to the fore, but not without disrupting the inner workings of production and security teams.

Being involved in DevOps initiatives allows infosec groups to integrate security into software development earlier and benefit the deployment process, as long as they are willing to collaborate and accommodate the cultural changes that it entails.

Employing security expertise in the continuous integration and deployment pipeline would mean proactively catching issues throughout the entire software development cycle, that is, from product inception and design to development and rollout.

In a Vanson Bourne survey commissioned by Trend Micro, a staggering majority (94%) of 1,310 information technology (IT) decision-maker respondents acknowledged that there are security risks in implementing DevOps initiatives, with the primary concerns being cyberattacks (45%), company data exposure (40%), and customer data exposure (40%).

The majority recognizes the crucial role of security in DevOps implementations. Seventy-two percent of respondents believe that minimal security involvement in the initiatives puts organizations at risk.

Despite these concerns, IT security teams still appear to be reluctant given the adaptability needed to be up to the task with DevOps practices.

...

We found that many security teams are not fully embracing DevOps culture and initiatives.

Of the respondents, 40% believe that their security teams are not on board enough with the need for agile innovation, which is a key tenet in DevOps projects.

While 43% of the respondents that have been involved in DevOps initiatives shared that their IT security departments willingly accepted DevOps, only 46% said that they actively encouraged it.

...

With the seeming lack of support for DevOps initiatives, security teams are not often consulted.

Thirty-four percent of respondents expressed that IT security teams are not always consulted when planning DevOps initiatives in their organizations.

Even more, 54% of respondents from software development departments are less likely to say that IT security teams are always consulted.

Software development teams’ reservations about IT security’s involvement are likely due to the thinking that IT security does not actively encourage DevOps or willingly participate in such initiatives.

Nearly 40% of respondents even agreed that IT security slows down their organization’s progress in DevOps.

...

The hesitancy in involving security teams may also be due to the notion that they lack skills and tools for securing DevOps initiatives.

The lack of active participation from IT security teams could come from the respondents’ belief that most are only partly equipped (50%) and that their organization would need to hire new talent (57%).

Only 42% of respondents expressed that their organization’s IT security department is fully equipped to secure DevOps projects.

Less than half of the respondents (49%) believe that their security department has all the tools it needs to secure such initiatives.

...

Securing DevOps Initiatives by Keeping Security Teams in the Loop

The survey revealed that while majority of IT decision-makers have concerns that their organizations could be exposed to different risks, security teams are not always involved when implementing DevOps.

A secure DevOps approach would mean bridging the gaps between how software developers and security engineers think and work. For 71% of the respondents, more involvement from security teams when planning initiatives is preferred. This would not only mean consulting with security engineers often but also equipping them with proper knowledge and tools to properly secure DevOps initiatives.

Development and security teams working together in organizations’ DevOps adoption efforts ensures proper software testing, integrated security, and operational visibility at all times. The benefits of DevOps can be pursued without sacrificing necessary security measures. After all, it is not just about efficiency but also security.

...

Trend Micro Solutions

Trend Micro helps DevOps teams to build securely, ship fast, and run anywhere. The Trend MicroTM Hybrid Cloud Security solution automates security within your organization’s DevOps processes and delivers multiple XGenTM threat defense techniques for protecting runtime physical, virtual, and cloud workloads. It also adds protection for containers via Deep Security and Deep Security Smart Check, including the scanning of container images during predeployment and at runtime. These solutions enable organizations to focus on security and compliance while still moving in the agile and adaptable world of DevOps. They also reduce the number of security tools needed with multiple security capabilities and a single dashboard to give you full visibility into leading environments like Amazon Web Services, Docker, Microsoft Azure, and VMware.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.