DevOps & Security: Top 4 Myths Debunked

Featured article by Amit Ashbel, director of product marketing and cyber security evangelist at application testing company Checkmarx

In DevOps, when you’re deploying hundreds, possibly thousands, of features and bug fixes a week, security cannot afford to be an afterthought. The beautiful thing about DevOps is that it is a process that continues to get more streamlined, faster and efficient – and deployments will be that much better if they are also fully secure before release time comes.

DevOps has far surpassed just being a trend, and major tech disrupters like Facebook, Etsy, Netflix, LinkedIn and Twitter, have all jumped on the DevOps adoption train. Even with large companies leading the way, there are still plenty of naysayers who reject the idea of a secure DevOps process. We’re here to debunk some of the most common myths.

1. DevOps and Security Can’t Work Together

Many people think there is little to no room in DevOps for security – myth! There are, in fact, a number of benefits. For instance, adding security within the earliest stages of development will provide the greatest opportunity for a product to withstand attacks.

Traditionally, security teams have been seen as the outsiders, coming in to police the hard-working developers and point out mistakes. That’s been the culture up to now, and with that attitude there really is no place for security within DevOps. However, security has shifted to be viewed as everyone’s responsibility on DevOps teams, which means developers, operations and security now more evenly share the burden of security. In order to make security and DevOps teams harmonious, organizations must create a transparent and unified workflow that allow for a strong working relationship between the two departments. Engaging developers and security team members and educating them on processes that will allow for a streamlined approach to help make code safer. This shift in responsibility also allows the security team to shift from a reactive to proactive approach, helping improve security to better fit the DevOps process.

2. Older Security Tools Should Be Tossed Aside

While traditional security methods don’t always allow for the speed and automation required by DevOps, that doesn’t mean they should automatically be tossed aside. During penetration testing, for instance, it can take weeks to finalize the tester’s assessment and without consolidated results, can take upwards of a month to track down the fixes that need to be made. Pen-testing can still be incredibly valuable for ensuring military-grade security and can help build transparency and confidence with customers in your product.

Additionally, secure code reviews, are still a valuable strategy in the initial stages of development, as it requires a deep dive into the code paths to check for logical errors and flaws in the design and architecture that most automated tools can’t find.

It is not that older tools can’t work within the DevOps cycle, but it’s critical to implement security tools strategically, and at the appropriate time during the development lifecycle to ensure a smoother, and overall more successful process.

3. Security ALWAYS Slows Down Deployments

If you’re not implementing security tools in the right way, then this myth could very well be true. However, security testing within development should be designed to increase the speed and quality of each new deployment. Using an integrated approach with code analysis tools, continuous monitoring, and testing of the production environment using automation ensures quicker detection of possible bugs.

When security and automation are properly integrated into the DevOps lifecycle, the benefits speak for themselves. Automating responses to attacks against code in pre-production provides the first line of defense before even reaching production. This ultimately offers developers the luxury of lightening-speed releases and better productivity and has an overall positive impact on the businesses bottom line.

4. Adopting A DevOps Culture Is Too Hard

Anytime a new process is introduced and integrated within an organization it is to be expected that there may be some growing pains and bumps in the road. Adopting a DevOps culture that is amenable to security testing is not hard, but it does take time, education and a mutual understanding from both sides. Security should be integrated into your SDLC in a way that makes it a default part of the process. The better integrated security is into your DevOps process, the easier it will be to find and fix those bugs holding you back from deployment.

With the rising adoption of DevOps comes a great opportunity for the security industry to get better, faster, stronger and more efficient.  Building a secure foundation from the ground up is what will help make and keep you successful – and what will take security within DevOps from myth to reality.

Author Bio: Amit has been with the security community for over a decade where he has taken on multiple tasks and responsibilities, including technical positions and senior product lead positions. Amit has experience with a wide range of security solutions including network, endpoint, fraud detection, and application security. This, in addition to his familiarity with emerging threats, allows him to address multiple aspects of an organization’s security portfolio while constantly studying how organizations can adapt to the ever changing landscape. Amit speaks at high profile events and conferences such as Blackhat, Defcon, OWASP, and others.