Today, developers are coding infrastructure, which brings speed and agility to enterprises. But DevSecOps is a nonstarter without C-suite support.
Many companies are turning to new IT models to bring agility and speed to doing business. But departmental silos and security issues can easily get in the way.
Also known as Infrastructure as Code, the IT infrastructure provisioning model DevOps enables developers to dynamically provision infrastructure –- servers, networking and storage -- through code rather than manual scripting. DevOps can bring automation to previously onerous processes and enable IT to make dynamic adjustments to suit the environment. This kind of IT provisioning model has become more critical in the era of cloud computing. While today about 40% of application workloads run in the cloud, 451 Research expects that number to increase to 60% by 2018. IT teams need to break their operational silos to get there.
Source: "Coding DevSecOps," Jason Suttie, The Sketching Scrum Master. https://sketchingscrummaster.com
Today, development and security teams may be governed by different mindsets. Development teams may speed ahead to try and deliver the infrastructure quickly, where their goals are to deliver to the business at its pace. Security teams, on the other hand, want to ensure security and integrity of code. In turn, security professionals are often perceived as a roadblock to getting things done in an agile, cloud-driven environment.
That caution is valid, say experts; as developers use code to spin up infrastructure, they may flout best practices. “When an organization speeds up development by skipping steps meant to identify flaws,” wrote Dave Shackleford in A DevSecOps Playbook, “it exposes itself in ways that would have been unthinkable under traditional development models.”
Moreover, breaches at the application layer are en vogue. According to Verizon’s Data Breach Investigations Report (DBIR), more than 40% of 2,000-plus data breaches involved compromised Web apps; indeed, apps were the primary target.
That's why security professionals are turning to DevSecOps to address the new agility required in the cloud – without leaving security by the wayside. It requires, say those who have made the transition, a radical shift in strategy and tactics.
"My journey was about changing completely how I thought about security inside an organization," said Aaron McKewan, chief security architect of New Zealand-based Xero, an accounting software company that has migrated to Amazon Web Services (AWS)-based cloud infrastructure. "—that’s what the public cloud did to me".
To build security into the infrastructure design process up front, McKewan and his team turned to DevSecOps, which joins security teams together with DevOps teams. "Cross-functional teams are . . . how you get things done in the cloud," he said.
McKewan noted that, at Xero, security became a high-level priority given his company’s move to Infrastructure as Code. Having an Infrastructure as Code model required building in security upfront and everywhere. "You need multiple layers of defense: hosts, infrastructure, your networks, your ecosystem all need to be defended," McKewan emphasized.
But even if bringing teams together is more efficient in the cloud, McKewan underscored the importance of getting the executive-level sponsorship for this way of working. DevSecOps will be a nonstarter if security teams push it on their own.
"At Xero, this approach was driven from the top," said McKewan. At first, "developers didn’t want to have anything to do with what we were doing. It was decided at a much higher level," McKewan said.
"The CIO is the one in IT who can 'do something about this',” said Gartner’s David Cearley in a SearchCIO article, because all IT teams – operations, security, applications-- report to him. "The CIO has to direct his team to say, 'If you don't work together, get another job somewhere else.'"
The journey to break silos and join teams for more secure infrastructure is going to take time, though. Today, 38% of enterprises use DevOps, and 50% will use it by the end of 2016. Adoption doesn't mean conversion, however: Nearly 90% of companies that have adopted DevOps treat it as an afterthought, according to a recent report by Gartner Inc.
McKewan said there were several lessons to be learned from Xero’s transition to the cloud.
Managing Editor, Cisco.com