7 ways DevOps can benefit CISOs and their security programs

If there’s ever been a wake-up call for the security industry to change their outdated ways – DevOps is it.

00 intro devops
Credit: Thinkstock
DevOps can be beneficial

Organizational culture and its processes and technology are evolving at a pace we have never experienced before. As a result, we can’t just sit back and wait for the “DevOps fad” to fade away because it isn’t going to. It’s not a fad – it’s an evolved way of software development. Furthermore, security cannot be the elephant in the room that everyone avoids because it gets too complicated. Security must evolve, as well, segueing into SecDevOps.

Many organizations are regularly pushing out tens if not hundreds of releases and updates on a daily basis. With help and guidance from the security team, organizations can push secure releases on the first try and save lots of money and time along the way.

Checkmarx explains why DevOps can end up being a major benefit to security.

01 collaboration
Credit: Thinkstock
DevOps builds a culture of collaboration and breaks silos

One of the main goals of DevOps is to create a culture that values collaboration, finding ways to make work better for all the teams involved. Developers struggle with writing secure code, and many security tools have been thrown aside because the development team wasn’t properly instructed on how to use it or the tools just couldn’t adapt to the rapidly changing software development life cycle methodologies. With DevOps, the silos come down, allowing for security to be better integrated, more automated, and therefore easier for the rest of the development team to understand and improve.

02 align
Credit: Thinkstock
DevOps helps align security with the rest of the business

Along with the improved relationship with developers and other team members, another benefit from DevOps for the security team is a new alignment with the rest of the business. According to a recent Puppet Labs survey, high-performing organizations spend 22 percent less time on unplanned work and rework. Integrated security testing creates the ability to catch issues much earlier in the systems development life cycle (SDLC), security budgets are driven down and refocused to earlier security processes.

Most important, the risk of a breach and the time for breach discovery are lowered. It becomes easier to put in place policies and procedures to respond to potential breaches and make decisions based on risk. Altogether, the potential business downtime is lowered.

03 agile
Credit: Thinkstock
DevOps promotes safe innovation and agile development

More organizations are moving towards Agile Software Development (ASD), and it’s already become a pervasive tactic for the majority of organizations across the globe. However, consistency and speed only go so far in developing software without taking security into consideration. Agile software development requires proper security implementation for optimal results. When the security team is more integrated into the development culture, it’s easier to secure new developments from their inception. With DevOps, teams can seamlessly bring security review into developers’ sprints, quickly adding secure new features or innovations. Enabling innovation with security considerations both assists the business and helps establish your team as a valuable cornerstone of software development.

04 automation
Credit: Thinkstock
DevOps makes automation a priority

DevOps is driven by a desire to create a streamlined approach to software development where processes can be automated. By working with fellow operations managers and development team leaders, security teams can develop automated processes that include checking security functions and policies, identifying insecure components and regulatory issues and building secure virtual machines to work in. This offers a whole new level of involvement that security hasn’t been afforded before. Bringing a static code analysis solution into an automated development process will help ensure that only code that passes certain security, regulatory and compliance standards will be used.

05 everyone
Credit: Thinkstock
DevOps makes security everyone’s responsibility

One of the most challenging yet rewarding results of the shift to DevOps is everyone in the SDLC now touches security. It can be scary for security teams to hand over security duties to other teams, but doing so can lift burdens on the security team and free up bandwidth to tend to other pressing security matters. For example, by integrating security testing at the very start of development, security no longer has to ensure releases aren’t stalled by late-stage SDLC testing.

When Dev and Ops teams take a bigger responsibility over secure code, members of the development team most interested in security have the opportunity to expand their security expertise. With the right training programs, capture the flag exercises and more, the overall security knowledge of the team can be improved.

06 measurement
Credit: Thinkstock
DevOps enhances monitoring & measurement

Short development sprints allow for constant improvement. Prior to integrating security into DevOps, monitoring was often done separately from security. When security is integrated into the development process it can also become integrated into existing software monitoring and measurement. As a result, new security metrics will align more with Dev, Ops and management.

For example, DevOps teams may aim to catch 75 percent of bugs early on in the development process. With SecDevOps, teams can monitor and measure for security vulnerabilities early in the process, ensuring that all bugs that could prevent a delayed deployment are not only caught, but also quantified.

07 bottlenecks
Credit: Thinkstock
DevOps eliminates bottlenecks

Without DevOps, users must follow a trail of information and jump through hoops to find the right contact to assist with issues. Since DevOps teams open the lines of communication between groups, users have a clear path to multiple contacts and can work to solve issues as they arise. Along with open communication, education is a core component of a DevOps program. In fact, the same Puppet Labs survey mentioned earlier found that high performing [DevOps] organizations spend 50 percent less time remediating security issues than low performers and ensure that Information Security makes pre-approved, easy-to-consume libraries, packages, toolchains and processes for developers and IT operations to use in their work.