Nothing is set in stone when an organization follows a DevOps methodology — a DevOps security model pushes developers and ops to constantly retune, slow down and speed up.
Excerpt from: With continuous security, SecDevOps deconstructs CI/CD
“All of the DevOps teams I work with have some integration between cybersecurity and development,” said J. Wolfgang Goerlich, cybersecurity strategist at Creative Breakthroughs Inc., a Detroit-based IT security consultancy. Some organizations have embedded security architects in the DevOps teams. Others have security champions within DevOps who work directly with the cybersecurity team. “In both cases, the partnership is a means to introduce security concepts while maintaining DevOps velocity,” he said.
Goerlich said roughly one in four DevOps teams integrate and automate some level of security controls. “This integration is generally performing scans and checks against the static code, the application, and the underlying environment composition,” he said.
But this level of automation often requires tuning and adjustments to ensure it keeps pace with DevOps. For example, he said, traditional code-level scans take several days. “That’s not effective when DevOps is changing the code on a daily or even hourly basis,” Goerlich said.
Effective SecDevOps teams secure without slowing, and they add continuous security without exceeding the team’s capacity to change, he said. “It’s paradoxically fast and slow, with security controls being added slowly while tuned to execute very quickly.”
Success comes from balancing protection for the DevOps product while protecting the DevOps productivity.