The blurring of lines between software development and software deployment is one of the monumental shifts reshaping how we manage the task of cybersecurity. DevOps, the methodology that has emerged for managing this new take on the software development lifecycle, is so new that we’re even having trouble figuring out its taxonomy. What do we call what we’re doing, when we’re doing it right?
DevOps vs. DevSecOps
DevOps is the name that has arisen for the methodology for managing continuous software delivery. Over the past few years, I’ve seen DevSecOps introduced as a concept to distinguish it as a version of DevOps that ensures cybersecurity should be an intrinsic component of development pipelines.
Like with so many esoteric industry terms, thinking about DevSecOps as a unique discipline may be getting things wrong from the outset. We’re setting ourselves up for problems if we distinguish DevOps done with secure practices and procedures from DevOps proper.
Rather, cybersecurity needs to be factored into all practices and procedures. In software development, as anywhere, it’s the foundation. The adage “we need to shift security left” – meaning implement it as early in any process as possible – fills the slides of conference speakers the world over, and it’s true. DevOps isn’t just a set of technologies. It’s a profound shift in attitudes and ways of working.
In a DevOps shop, where a programmer can commit code into a repository, immediately and remotely initiating the build and deployment of infrastructure and applications, where is there even room for a cybersecurity pro in the process? How do we, as cybersecurity professionals, even begin to secure a DevOps environment?
The security practitioner is used to documenting their requirements, threat models and architecture blueprints within reams of prosaic documentation to meet deadlines in weeks and months, not minutes and seconds.
Let’s cut through the buzz and get to some common sense best practices to help the enterprise world recognize cybersecurity pros as vital to the DevOps workflow and the software lifecycle and establish a software development landscape that’s fast enough for anyone and safe enough for everyone.
Getting Cybersecurity in the Room
Cybersecurity needs, rather, to show that in preventing problems it enables efficiency, rather than slowing it down. From there, its significance and non-negotiable importance will be appreciated.
A big challenge of getting any enterprise to appreciate cybersecurity’s role in a DevOps shop is a people problem, not a technical one. Most simply, the cybersecurity team has to show up to meetings and make the importance of its function known to the rest of the enterprise. That is, however, only the beginning.
The shift to daily, succinct meetings is particularly challenging for some in the security world. Not because we are incapable of managing their calendar, but because of the succinctness and root cause analysis.
Security problems are often difficult to articulate to those outside of the cybersecurity space. That was even true when meetings were hours long and documentation was verbose. In this new, hyper-compressed landscape, getting the point across can be even tougher.
If we show up to meetings and say “let’s slow down these operations and look at this,” or “every deployment needs to get checked off by us first,” we run the risk of a DevOps team – focused on getting software out, bugs fixed and upgrades implemented as quickly as possible – seeing us as the roadblock. The department that shuts everything down; that stands in the way of digital transformation in favor of abiding to archaic processes. These days, this is the department everyone circumvents. Dogmatic cybersecurity ends up being less cybersecurity in the long run.
A Shift from the Traditional Cybersecurity Approach
For software development and deployment using the DevOps model, speed is key. Teams code and deploy programs directly to infrastructure … in fact, they also code infrastructure! Concerns come back from clients, and there’s no week-long wait to implement a fix or roll out a patch. As a cybersecurity team, being able to operate at this speed is critical to being accepted and appreciated as part of the workflow.
That means shifting away from the traditional model of providing 30 pages of recommendations on how a project could be secured (in a cybersecurity vernacular that a developer may or may not understand).
Instead, cybersecurity pros working with DevOps teams need to make what they do part of the story. A client benefits from continuous service delivery in particular ways. Cybersecurity needs to make it clear how they benefit from doing it securely.
Flexibility and interactivity are key – cybersecurity pros need to act as part of the process, working on the same level as the coding and deployment wings of a DevOps team to communicate requirements, manage code reviews and provide test cases.
If the DevOps team is automating, the security team’s objective should be to automate. Where feasible, cybersecurity pros must assess the pipelines used to deliver software and qualify where codified security controls can be included. Integrating test-driven security into the workflow can cut out many manual review cycles.
Having everyone as part of the team is in some sense what DevOps culture is all about, and chief information security officers (CISOs) need to make it a priority to get their cybersecurity pros embedded (and welcomed) in DevOps teams.
The question of what they do when they get there is, of course, a more technical one.
A Cybersecurity Skill Set for the Future
For cybersecurity professionals, the question of skills invariably arises. For those used to working on on-premises, physical infrastructure, the demands of the new virtualized environments that DevOps teams are leveraging can be a big change.
Solutions DevOps teams use like Amazon Web Services (AWS) Lambda, Microsoft Azure Cosmos, Docker and so on, may be unnerving to those who don’t have their heads in the programming world. But things have never stood still in cybersecurity. The technology has been in a constant state of evolution for 30 years.
The more developers drive the software lifecycle, the more of the ins-and-outs of software development cybersecurity pros are going to need to understand to manage it – that is, at least, in those cases where continuous delivery becomes standard operating procedure.
While touching code may seem like something from the other half of the enterprise computing world to some, principles like containerization and infrastructure-as-a-service (IaaS) remain within the conceptual wheelhouse of what cybersecurity pros have long done. The leap that might need to be made, then, is an evolutionary one.
And it’s not an evolutionary leap that will be made alone. With CompTIA cybersecurity certifications validating the skills standards across industries, CompTIA-certified pros can always be confident that they have what it takes to secure infrastructure – whether physical or virtual, local or remote.
Validate your cybersecurity skills with CompTIA Security+, CompTIA Cybersecurity Analyst (CySA+), CompTIA PenTest+ and CompTIA Advanced Security Practitioner (CASP+). Download the exam objectives to see what’s covered.