Why Cybersecurity Requires DevOps

Consider for a moment this data spanning 7 years, showing that there are constants in cybersecurity trends. A 2008 report demonstrated that 62% of all data breaches were caused by a significant manual error or an internal mistake. A 2015 report found that over the past 11 years, 96% of all security incidents fell into nine basic patterns, of which the top four patterns, totaling about 90%, involve human error or misuse. Even though millions of security threats exist, this data gives us hints where to focus.

Frequency of incident classification patterns across security incidents for 2013 and 2014.
FIGURE 1: Frequency of incident classification patterns across security incidents for 2013 and 2014.

Savvy CISOs are in the risk mitigation business. Process automation and collaboration are critical to risk mitigation, as they address priority patterns related to a poor patching strategy, pushing bad code to production, and observing manual configuration mistakes. It is also vitally important to balance meeting end-user expectations in production and risk. Cue, DevOps!

Coining the name “DevOps” is a stopgap way of dealing with a problem: the community doesn’t know exactly what to call this methodology otherwise.

Sure, it started as a solution to the Development and Operations collaboration dilemma. Simple. It rolls off the tongue. Fast-forward a few years, the idea of DevOps is much more nebulous. Let’s reflect on the meta of the trend: DevOps is a new and necessary space, formed in the middle of engineering, that is an incredible asset to cybersecurity as a blueprint for building a collaborative culture and automation-centric responsibilities, which are essential for modern cybersecurity.

 

DevOps for Cybersecurity is Cultural and Functional

The model for why your cybersecurity requires DevOps is twofold: it is a cultural philosophy and a functional role. As a cultural philosophy, DevOps seeks to drive efficiencies, tear down silos, and elicit collaboration, which can put security teams more in-tune with the business objective of delivering engineering results. As a functional role, the DevOps entity lives within an organization’s engineering department, and it is comprised of the people, policies, practices, and tools dedicated to improving the software development life cycle as a whole. From development to production, the role of DevOps is to bridge the gap between Development, Operations/Systems Management, Security teams, and other teams, as well.

Silos tend to haunt successful organizations because the good ones can grow to enterprise size. At that scale, the smallest human error can affect dozens of systems, and degrade the quality of product. Also, mistake-prone manual processes create an incredible security risk. Infrastructure has to scale, development and QA become more robust, continuous integration is implemented, policies and practices need to be implemented and enforced, and the responsibilities of each team become more defined. With this growth, the overlap between the teams diminishes and the void between the teams increases.

In a startup environment (left) it is unavoidable that engineering teams will overlap because “everyone does everything.” In a startup, DevOps is more cultural and a mindset among teams. For the enterprise environment (right) DevOps can become a true, staffed function for the organization.
FIGURE 2: In a startup environment (left) it is unavoidable that engineering teams will overlap because “everyone does everything.” In a startup, DevOps is more cultural and a mindset among teams. For the enterprise environment (right) DevOps can become a true, staffed function for the organization.

 

Development and Operations cannot support the new demands of facilitating, managing, and scaling enterprise continuous integration, deployment, source control, and effective collaboration without misallocating their own time and effort, which thereby disrupts their ability to do their own work. Security risk skyrockets.

Reasons that DevOps and Security Teams Need to be Connected

  1. DevOps helps bind the security and engineering departments together through collaboration, policies, and procedures. Developers need resources and information from operations, operations need product and information from engineers, and security teams need to cast a wider net on relevant data. In the end, DevOps is charged with ensuring all teams get what they need to be successful across the entire Software Development Life Cycle (SDLC) by implementing policies and procedures such as requiring proper notification of new resource requirements or configuration changes, providing a means to provision development or testing environments, or no production releases without acceptance testing. Additionally, DevOps makes sure product is not “thrown over the wall” to operations by mandating necessary collaboration between teams to keep everyone in the same pool of knowledge.
  2. DevOps improves product quality and security concurrently. One of the mainstays of DevOps is a rapid feedback loop (FIGURE 3). Implementing practices like continuous integration promotes instant feedback on changes from development as they are made. If a piece of code or configuration is broken or caused something else to break, which can cause security vulnerabilities, the faster it is made known the faster it can be fixed. Also, automated test runs, both pre and post deployment, are essential to this effort. The tools controlling this bit of automation provide visibility into the state of the product. In essence, DevOps owns the continuous integration/deployment realm, which is aimed at fast and effective quality checks during integration and deployment.
  3. DevOps ensures a streamlined and dynamic workflow by keeping the SDLC automation infrastructure up to date with the ever changing needs of security, development, and operations. This is accomplished through innovation and staying current on technology. DevOps must create a pipeline for the product. The pipeline needs to remain consistently functional yet easily updatable as product or infrastructure changes occur, which requires time and effort outside of development or operations.
  4. DevOps guides the engineering culture towards agility, innovation, and an automated approach to security. Someone has to assume a governing responsibility over the SDLC within engineering and prioritize secure, bug-free code. DevOps is the perfect entity to assume the role of “security champion”, given it is logically right in the center of engineering. This creates a “single source of truth” for the policies, practices, and tools necessary to build and deliver a secure, quality product in an agile, innovative, and cohesive manner. DevOps falls in line with the team posture by accepting input from all other teams within engineering, sifting through the needs and requirements, and then making intelligent decisions. A few of these decisions include what tools to use, how the development pipeline will look (e.g. involving security testing or not), and how to build a foundation upon which the SDLC for that particular engineering department will operate.
It is important to create a culture that fosters two things: making and learning from mistakes; and practice makes perfect. Only through this continuous effort can true mastery be achieved.
FIGURE 3: It is important to create a culture that fosters two things: making and learning from mistakes, and practice makes perfect. Only through this continuous effort can true mastery be achieved.

When DevOps and security teams collaborate, it helps to address problems proactively at the root level, not retroactively. The security is better because monitoring tools are introduced and hardening guidance is built into the DevOps process. When your cybersecurity requires DevOps, you have competitive advantage, because your organization’s code now tells a richer story: it works, it’s released fast, and it’s secure.

Click here to download and save this blog post as a PDF.

Sources:

Kim, G. (2013, October 1). DevOps distilled: A new look at DevOps. Retrieved November 6, 2015, from http://www.ibm.com/developerworks/security/library/se-devops/index.html
Mueller, E., Wickett, J., Gaekwad, K., & Karayanev, P. (2010, August 2). What Is DevOps? Retrieved November 6, 2015, from http://theagileadmin.com/what-is-devops/
Schulman, J. (2015, August 17). Why Security Needs DevOps. Retrieved November 6, 2015, from https://www.jayschulman.com/why-security-needs-devops/
Verizon (2015). Data Breach Investigations Report. Retrieved from: http://www.verizonenterprise.com/DBIR/2015/