Tommi - Fotolia

Tip

Security teams must embrace DevOps practices or get left behind

DevOps practices can help improve enterprise security. Frank Kim of the SANS Institute explains how infosec teams can embrace them.

All companies, whether they realize it or not, are technology companies. Digital technology is transforming businesses. It is changing how companies operate and how they deliver value to customers.

This increased reliance on technology is driven by the desire to bring new products and services to market in a faster, more efficient way to meet customer demand. New technology, including microservices and the public cloud, as well as various DevOps practices, is now commonly utilized to bring products to market faster. Despite the many benefits associated with digital transformation, there are new challenges that many companies are struggling to address.

To understand these challenges, it is helpful to take a look back at how development was handled prior to the digital transformation. In the past, many traditional organizations deployed a new product, service or website infrequently, perhaps even just once a year. With advances in technology, this timeline has drastically changed.

Today, many organizations are deploying a new service to production 10, 20 and even 50 times a day. This increased rate of technology change has created an alarming situation for security teams, IT teams and risk teams. These teams are now tasked with finding new ways for their organization to best utilize the DevOps practices and support technology that the organization wants to use without putting the company at risk.

Security's new path

DevOps and the cloud are radically changing the way organizations design, build and operate systems. In traditional approaches to security, the default response to new technologies and approaches is often no. In today's modern environment, a simple no will not work. The accelerated rate of change that businesses demand is forcing security to take a different approach.

In this new world, security teams must do three things.

  1. Understand DevOps. Security teams must learn the intricacies of how DevOps works, how continuous integration/continuous delivery (CI/CD) pipelines are used to get products to market faster and how the ability to deploy changes quickly is not a risk, but their greatest security asset. 
  2. Enable development teams. Security teams must learn how to inject security into the DevOps CI/CD pipeline without being blockers. Instead of telling developer teams what not to do and how not to do something, they must instead agree on common outcomes.
  3. Utilize DevOps practices within security. Security teams must practice what they preach and internally utilize DevOps practices to deploy security products faster, more reliably and with increased effectiveness.

A look ahead

In the quest to determine how to support the rapid pace of change, DevOps will play a key role. DevOps practices rely on a number of different foundational principles, including automation. This is good news, considering much of infrastructure deployment today is actually automated. The question, therefore, isn't how to keep pace with DevOps, but rather how security teams can benefit from DevOps and the move to the cloud.

DevOps can actually help lower risk when security is integrated into the development process. Security teams have the opportunity to move faster because they can deploy updates to functionality and features more quickly in DevOps. And when the inevitable security issue is found in an application, it can be patched much more quickly. This enables the organizations and security teams to move faster.

Digital technology isn't just transforming businesses. With the help of DevOps, it is transforming security, as well. DevOps is the future of development, and as a result, it is the future of both IT and information security.

Editor's note: Frank Kim will teach a course on practical introduction to secure DevOps at an upcoming SANS event in Las Vegas in September.

About the author: Frank Kim is the curriculum director at the SANS Institute and founder of ThinkSec, a security consulting and CISO advisory firm. Previously, as CISO at the SANS Institute, Frank led the information risk function for the most trusted source of computer security training and certification in the world. In his new role at SANS, he continues to lead the management and software security curricula, helping to develop the next generation of security leaders.

Next Steps

Find out why data fidelity is so important for enterprise security

Read more on leveraging static source code analysis for security testing

Learn how to take advantage of mobile application assessments

Dig Deeper on Application and platform security