DevOps is a mindset. It’s a collaborative approach that optimizes software delivery and performance life cycle. Security is also a mindset. Bruce Schneier characterized the difference between engineering and security as the difference between thinking how things can be made to work versus thinking about how things can be made to fail. But is that true? Is security the only team looking at potential failure?
It’s in the DNA of Security teams to look for weaknesses and vulnerabilities. DevOps works with complex applications, environments and infrastructure, which increase risk and can cause failure. They must also be looking for the potentiality of it, especially given the cost of failure or downtime. Just as there is a cost to breaches from security failures, there is a cost to production downtime. In fact, the average cost of a critical application failure can be as much as $1M per hour.
If both DevOps and Security teams are concerned with preventing failures, it should be natural for them to integrate, right? It turns out that preventing failures isn’t enough to close the cultural gap between the two.
The move towards DevSecOps will require the engineering teams to change their perception and begin to see security inclusion as a deployment enabler. It requires a change in culture – on both teams – to break down barriers and dispel myths that have resulted in finger-pointing. From the security perspective, Mike Newborn, CISO, Navy Federal Credit Union shared with RSA® that the cultural change “needs to really push the responsibility away from the security team and onto the development teams and other parts of the organization. As a security practitioner, our job is to equip these parts of the organization with the right knowledge and technologies and processes so that they can do what they need to do at the right speed but have guardrails in place.”
Jamie Ringstad, Director, Microsoft, views it a little differently. Jamie believes that “the IT person has to have a seat at the table when it comes to security and when it comes to minimizing risk to digitally transforming.” So, is it about security moving into DevOps or DevOps moving into security? The answer is, it’s both. Mike and Jamie agree that it’s a culture change on both sides.
There are different approaches to achieving culture change, but the biggest step an organization can take toward bringing security into the DevOps world is to ensure their priorities align with the business priorities. Once that alignment occurs you can then move on to tackling cadence, collaboration and shifting security left. One note of caution here: The need to increase collaboration between DevOps and Security does not mean that engineers don’t already think about security or that cybersecurity professionals aren’t interested in agility. It means that thinking about security and agility aren’t enough to achieve security and speed. It is true that most developers are not security experts, and they need to partner with those that are, or risk becoming the next attack vector.
Security professionals have longed to introduce security early into the development cycle and DevOps provides the best opportunity to realize the dream. The two together not only streamline development, but also improve security. So, if security professionals have wanted this all along, why hasn’t it already occurred? Security requirements are generally identified up-front but aren’t checked until the end of the development cycle. The requirements are often cumbersome and difficult for developers to implement earlier. Many security checks are tied to compliance which often can’t be tested until the software has published in an end-to-end environment. All these constraints, and more, are why we are still theorizing about DevSecOps and not implementing it.
To effectively bring the two together requires a culture of collaboration. Everyone must understand enough of the context to ensure the software’s safety. Teams already know that making decisions is hard, but everyone has something to offer in building better – more secure – software. DevOps innovates and Security ensures trust. Bringing these two together requires developing joint measurements everyone must meet. Measurements that result in goals aligned to the organization’s goals, as mentioned earlier. The culture of collaboration is only achieved when both teams begin at the beginning together. Not just shifting security left, but the entire culture left.