Traditional security practices can be left in the dust by the speed of projects in a DevOps environment. Here's how infosec can win back a seat at the table.
DevOps is the name given to techniques that allow orders-of-magnitude speedup in development and deployment. When Flickr introduced these concepts at a Velocity Conference in Belgium in 2009, those in the audience were accustomed to deployment timescales of months. Flickr VPs announced that they were routinely doing 10 deploys per day -- a speedup of 1,000 times over what had been believed possible before. As DevOps techniques have spread worldwide and continue to evolve, companies such as Amazon can boast of more than 1,000 deployments per day.
This radical agility is enabled by breaking down the silos in IT (and the larger corporation), particularly between development and operations. It uses the cloud by default. The speed of deployment "delights the business and terrifies security," according to Josh Corman and Gene Kim, who spoke at the recent RSA Security conference to introduce what they are calling "Rugged DevOps." (Here is an interview with Corman and Kim as a 12.3-MB MP3 file.)
Traditional security is viewed as a tax on development, Kim said in an interview with CSO Online. If it involves system reviews that can take weeks or a month to complete, as it often does, infosec is so obviously out of step with the agility of DevOps that it will simply be "shoved out of the game," according to Kim.
This situation clearly is profoundly deleterious to systems security -- which in traditional infosec is already playing catchup to the rest of the organization.
Enter Rugged DevOps
What's to be done? Gene Kim urges infosec to concentrate on hardening the environment into which the rapid deployments are made. Security needs to find a way to add value to development, QA, product management, and operations. They can do this by helping produce code and an environment that are reliably securable, stable, durable, and scalable. "We're just turning security into one of the qualities that Dev and Ops should be working on together," says Kim.
The nuts and bolts of the transformation the security silo must undergo is figuring out how to automate security tests so that all the testing can be integrated into the development process. Automation will also help operations to harden the environments into which the code will deploy.
Then security must identify the other players in the DevOps cycle and work to convince them of the value of using automated testing and checklists to bake quality and security into the process. Successfully doing so will earn them back a place at the DevOps table.
Gene Kim is writing a book, "The DevOps Cookbook," about all of this. He is interviewing the "tribal leaders" of the DevOps movement. What they are saying now: "It's not DevOps, its Dev-Ops. It's everybody between Dev and Ops: its QA and infosec" as well. In such an agile environment, quality and security benefit intrinsically.