Virtualization Technology News and Information
5 Things Security Can Do To Make The DevOps Team Love You

By Liran Tancman, CEO and Co-founder, Rezilion

It's no secret that DevOps and security teams are not a marriage made in heaven. This is because both have separate and distinct roles that sometimes are not aligned; that security processes are necessary is a given, but DevOps teams can view them as labor-intensive and cumbersome.

This flies in the face of the agility DevOps teams aim for to bring products to market. The pressure on DevOps to get new releases out quickly is well known. And security is in many cases seen as a negative force pushing the brakes on innovation.

The divide is wide and there are two main problems that must be addressed: if security is not part of the DevOps discussion then security protocols do not become part of the DevOps workflow. Also, if security becomes a roadblock during rapid release cycles, this can result in rushed or missed security reviews.

No one will dispute that security must be part of the equation. In some organizations, the mantra is secure by default. But that doesn't always create harmony. Here are five tips for security professionals to keep the peace and engender some love.

Automate security

It starts with automation. When security is automated as part of the CI/CD process, it becomes easier for DevOps to get on board because policies are embedded into the pipeline.

Policy changes are also automated, reducing the chance of errors, and vulnerabilities are identified earlier. Because DevOps teams are already familiar with using automated tools, they are likely to more readily accept something that will integrate with their existing processes.

Momentum is growing for DevSecOps, a principle that integrates development, security and operations at every stage of a product's life cycle. This way, security and reliability issues are tackled quicker and more efficiently.

This results in the best of both worlds-combining the use of automated tools to achieve the goal of continuous deployments on time and within the allotted budget, while reducing human error, and providing visibility into potential vulnerabilities.

Keep speed in mind

As mentioned earlier, the primary objective of DevOps is to deliver products to market. They want to get new releases out quickly and security is often seen as a roadblock to those efforts because they require bug fixes. This severely hinders release velocity.

That's why it's critical for security to work with tools that can minimize that patching backlog. Which vulnerabilities are truly exploitable, and which (to the joy of your Dev team) are not loaded to memory, pose no risk and require no patch?

Work with them to keep to the quick release schedules they desire by investing in the tools to keep patching to a minimum. This "work together" mind set on bug fixes brings me to my next point.

Encourage collaboration and cross-functional teams

Collaboration is often lacking between development and security teams and there are issues around skills, regulations and culture. When it comes to the dynamics between operations and security teams, the challenge is how to effectively use analytics to gain value from the huge amounts of SecOps data to produce actionable information.

Businesses should not assume the two teams will discuss security requirements. While operating in silos has long been how work is conducted, development and security teams must be encouraged to collaborate.

The way to break down these silos is to create integrated agile teams charged with solving all the requirements of the products in their scope, regardless of any functional, security, reliability or any compliance issues. These teams should be staffed with well-rounded engineers who can work across disciplines and pick up new skills quickly.

Talk the talk

Security can do its part by explaining why code needs to be tested and how potential vulnerabilities can be fixed in "developer speak." This requires figuring out what that means in coding speak.

For example, rather than refer to vulnerabilities, security can instead talk about software defects, since that's something developers can relate to.

People also need to be trained in each other's expertise. From a process perspective, security can define certain guardrails in which developers should work. This requires making sure that both DevOps and security teams are talking and not just going through the proper checks and channels.

It's also important to discuss which tools are critical for a company in the DevSecOps process to have since it's not productive to adopt multiple ones all at once. However, the security team should make the call on which tools they absolutely need, while DevOps can help with the implementation. If security arms DevOps with tools to minimize vulnerability backlogs and product development bottlenecks, they are sure to score some brownie points.

Recognize DevSecOps is a human issue

Some argue that DevSecOps is a human issue that plays as much of a role in the transition to this principle as automation. Developers have not always been part of the conversation, and even if they view security as important, they may not consider good security practices in the scripts they build.

Human behaviors need to change and this can be achieved by aligning expectations and a willingness to learn from one another. One approach is to designate a point person tasked with this responsibility. Goals must be combined and ultimately, both sides should be held accountable for security.




Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security.

Published Friday, June 03, 2022 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2022>