DevSecOps: Should Your Business Wrap Security Into the DevOps Process?

By: Katie Daggett - Leave a comment


DevSecOps, a term originally coined “DevOpsSec” by Gartner analyst Neil MacDonald in 2012, is a new approach to team productivity that combines the efforts of information security and DevOps teams to foster the most productive environment possible. At first, DevSecOps focused primarily on automating code security and testing, but it has since evolved to include more operations-centric controls.

Bringing Security Into the DevOps Process

When brought into DevOps, security practitioners have the ability to script and monitor security on a larger, more dynamic scale. Organizations can also reap the benefits when security teams incorporate the following into the DevOps process:

  • Logging;
  • Event monitoring;
  • Configuration;
  • Patch management;
  • User and privilege management;
  • Vulnerability assessment.

Further, when dynamic and static code testing is integrated into the development and promotion life cycle, it enables development and security teams to more quickly detect and fix major code flaws.

How DevSecOps Is Changing Businesses

In the past, many businesses were reluctant to bring security into the DevOps process because traditional security minimizes risk by slowing things down. While minimizing risk is valuable, however, a slower process doesn’t work well for today’s fast-moving, technology-dependent businesses.

IT operations traditionally require thorough testing of every patch before deployment; large cloud environments such as Netflix push hundreds — sometimes even thousands — of code changes per day. And as more organizations move toward this model, security will need to find a way to adapt.

Gartner analyst David Cearley explained to TechTarget that adding security to a company’s DevOps program forces CIOs and their teams to think about security at the start of the software development process, rather than as an afterthought. The article also states that for organizations to establish a successful DevSecOps program, security will need to work alongside operations and development to embed security controls and processes throughout the DevOps process. Cearley notes that CIOs must insist on collaboration between security and DevOps teams by demanding a “unified approach for how we’re going to be able to develop, secure, operate and manage the services we’re delivering to our users.”

Does It Work?

While DevOps is in its early growth phase, security has the perfect opportunity to join the process and align its goals with operations and development to become a valuable member of the DevOps team. The key to successful implementation, however, is for security to be flexible and adapt to the faster rate of change that more organizations need as they jump into today’s cloud environment.

Topics: , ,

About The Author

Katie Daggett

Freelance Writer

Katie Daggett is owner and chief content strategist of KD Copy & Content. She is an agency-caliber copywriter with more than 15 years' experience in marketing communications and specializes in creating exceptional B2B and B2C marketing content. Katie has worked with clients big and small in a variety of industries, writing everything from direct mail... Read More