Engineering leaders: security is your job, too
The rise of secure DevOps has left many security professionals vying for the attention and support of their engineering counterparts. What can engineering leaders do to bridge the gap? We have four ideas to help you build security into your DevOps culture, workflows, and goals.
The beauty of the DevOps model is that two teams who have responsibility for applications — development and operations — are brought together to make the application lifecycle more agile and efficient. Both sides, which have historically remained in separate silos, are recognized as equal stakeholders in the application creation and deployment process.
Engineering now also needs to integrate security into every aspect of the DevOps cycle, from user specification to design to development to operations, and back around again. While challenges often arise as teams shift to a DevSecOps mindset, the simple reality is this: The success of the product is tied to security as well.
Engineering teams need to prioritize security as a fundamental element of software design and implementation. They need to be partners with security teams and business stakeholders, not competing for executive attention. This shift isn’t just about pushing security left, towards development, but also about incorporating security into an overall outlook more aligned with the business.
Here are four ways to make that happen.
1. Champion and educate, don't mandate
Developers do not want to write insecure code. Instead, they end up introducing vulnerabilities into their code because they don't have the right tools, or they don't have the right knowledge about vulnerabilities and secure patterns, or because engineering leaders incentivize fast development of new features without prioritizing security.
Yes, security needs to be integrated into every step of the development and deployment process. It should be woven into the fabric of the DevOps cycle, and the place to start is with people. Have security engineers partner closely with development teams. Cultivate security champions among developers. And have burn-down sessions focused on specific classes of vulnerabilities.
2. Integrate security tools in development processes
One important way to achieve rapid innovation and release goals without compromising security is by integrating security testing and tools into every stage of the DevOps cycle. Linters should check for easy-to-spot mistakes. Static analysis security testing (SAST) tools should analyze code upon commit. Applications prepped for deployment should be staged and dynamically tested. And web application firewalls should protect and monitor applications once deployed.
Engineering should regularly check in with developers and security teams to turn new security checks into automation through tooling. The only way to ensure consistent security is to integrate tests and controls into the pipeline through automation.
3. Integrate security incentives into engineering goals
Security teams that require a month, or even a week, to do security audits will slow down development—and create inevitable conflict between DevOps and security goals. To move at the speed of DevOps, security has to be integrated more seamlessly into the software development pipeline, and that is a job for engineering.
Speed is the new normal, and companies are pushing their engineering teams hard to drive digital transformation and adapt to the pandemic. Over the past year, if security was seen as a barrier to digital and mobile expansion, engineering teams had to make hard choices. While it may be tempting to prioritize code delivery over security needs, failing to embed and test security can result in vulnerabilities down the line, eventually costing the company in lost productivity, failed customer experience or more.
To solve this, engineering teams need to build security incentives into their OKRs, and ensure all developers and engineers are incented to produce robust code and reduce vulnerabilities.
4. DevOps requires engineering flexibility
While DevOps discussions often focus on continuous integration and continuous deployment (CI/CD), DevOps teams should pay equal attention to secure development lifecycle (SDL) best practices — repeatedly collecting feedback, including reports from security products and testing, and incorporating recommendations into the next iteration of the application.
This cycle requires flexibility on the part of engineering teams: modifying processes and tools to incorporate feedback for improving application and security checks. Engineering leaders need to make sure that the DevOps infrastructure is flexible enough to handle rapid changes, creating a change approval process that focuses on reliable change and not bureaucratic approval. If the change process is too onerous, developers are not incentivized to work with engineering on security, leaving companies to run the risk that developers will work around the process.
Without a flexible and continuous testing and monitoring infrastructure, the security of code cannot be guaranteed. Developers need engineering processes that reinforce secure principles and don’t entice them to make an end run around testing and security. Because, without repeatable security checks, all the speed advantages of DevOps can be wiped out with security gaps and vulnerabilities.