Confusion persists around DevOps because the term "has been used and abused so much it's lost all meaning," said Mark Nunnikhoven, VP of cloud research for Trend Micro, speaking Tuesday at the Gartner Security and Risk Management Summit in National Harbor, Maryland. DevOps tools have emerged and organizations have marketed "DevOps people." But at its core DevOps is a philosophy designed to balance two formerly disparate parts of an organization: development and operations.
Focusing on people, process and products, DevOps has gained ground in the enterprise, and delivery pipelines with constant feedback loops are creating more efficiency. From a security perspective, DevOps has the potential to create "a culture of collaboration that reduces risk by decreasing the size of changes to production environments," Nunnikhoven said.
Companies inherently reduce risk by making smaller changes at once, said Nunnikhoven. Larger deployments might have thousands of lines of code, making it a frustrating task to track down the root of the flaw. But with a more DevOps mindset, companies can deploy numerous times a day, rolling out small, iterative product changes as opposed to big changes all at once.
The goal of security is to make things work as intended. And the best way to do that is to work with business stakeholders to create more secure development processes. But it's not DevSecOps, Nunnikhoven said. "Not a thing."
Security should be embedded in the development process, not an additional auditing step, which favors more outdated perimeter approaches to security.
@marknca: #DevSecOps — "No. not a thing." "It’s the height of arrogance" for the security community. #GartnerSEC— Naomi Eide (@NaomiEide) June 5, 2018
Organizations that "shift left" and spend more time in the development production environment will allow security teams to educate and secure by influence throughout the stages of the development pipeline. The earlier a company finds a bug, the easier it is to fix it, said Nunnikhoven.
But Dev and Ops doesn't work magically in tandem without some process changes.
"I want to talk to you about soft skills" — a request that may have once struck fear into engineers' hearts — has become a mainstay of how technology functions in an organization. Cross-organization DevOps buy-in will create a more seamless adoption process.
Security also needs to take up its true role and promote awareness and security education. Breaking down silos and allowing security teams to be a part of the developer process earlier will allow more issues to be caught in production, reducing released risk.