Learning to love DevOps

Security professionals need to embrace DevOps and use it to their advantage. The DevOps Handbook offers an up to date guide for this process.

gears closeup

To be honest, I’m not falling in love with DevOps yet. DevOps doesn’t really seem to have a built in place for security, but we security professionals can’t bail out. IT has never really had a home for security. So how to make lemonade out of lemons?

I first heard the term “DevOps” while finishing Gene Kim’s book "The Phoenix Project". I had enjoyed Phoenix, especially after a stint managing information security at a large manufacturing firm. I heard that Gene was working on a new book on DevOps. But DevOps seemed to be a deep dive down into the weeds. Who would have thought it would go mainstream…an idea catching the wave of both demand and supply. The demand for more reliable systems that can keep up with customer needs and the supply of full featured cloud development and operations platforms.

DevOps did catch the wave, pulled along by its supporters’ initiatives and creativity and pushed along by the acceptance of the cloud. Google Trends still shows a healthy growth of interest as of this writing. So I had some catching up to do. The good news was that I had been a long-time believer in the application of lean manufacturing concepts to information security. So I knew the concepts behind DevOps.

For catch up, I was able to rely on Gene’s new book, "The DevOps Handbook", with collaborators Jez Humble, Patrick DeBois and John Willis. Handbook came out last October. In my mind it is a guidebook because no one reads a handbook cover to cover, like I did. Also, this field is changing so fast that handbook is really the wrong word. We need guides. If you are in information security, you may need a guide to catch up with the DevOps movement. It is likely you will be trying to adapt security to DevOps practices soon.

As I read through the book, I was trying to figure out ‘what does this mean for information security’. The real meta-message of Handbook is that the whole security field is changing faster than ever. Code rules. The old practices are going. Governance will be critical. Risk management across a diverse set of internal and external resources will be critical. Security professionals need to acquire a whole new set of skills to do the jobs of the next year and beyond. That’s the message. You can choose lemons or lemonade. To make lemonade, just add sugar and water. You can also make a lemon cake with a few more ingredients. Here are some ideas.

[ ALSO ON CSO: CSO Survival Guide: Securing DevOps ]

To begin, what is DevOps? Kim, et al give two definitions: first, the application of trusted manufacturing principles to the IT value stream; second, the logical continuation of the Agile software journey, applied to ops. I am happy with either of these. They describe principles that encompass the entire end to end SDLC process. On the other hand, security isn’t directly included in this moniker. It’s not DevSecOps or SecDevOps or DevOpsSec, or any other permutation (yes, some of these terms did pop up later). Handbook has only 32 pages (or 7% of the complete book) devoted to security. But practitioners are working on figuring out the rest of the security best practices.

There are still challenges in applying security to DevOps practices. Some of these include: overhyping DevOps; over reliance on automation tools; valuing speed over security (nothing new here); and over reliance on cloud vendors’ capabilities. Jim Manico gives a great presentation on the “Dangers of DevOps Monotheism”.

Are we relying too much on cloud vendors’ security expertise? We don’t know what is really behind the curtain. I decided to purchase one of the new Amazon branded shirts recently. Although well-made, the one I got was ¾-of an inch shorter than every other shirt I have purchased in the last 20 years. Is their measuring stick the same as everyone else’s? I sent the shirt back, but it is not so easy to send AWS back, once you have it deployed. Has any company ever successfully made men’s dress shirts and supplied computer services? Maybe they can do it. Maybe.

One of the inspiring parts of DevOps Handbook is its organization around the “Three Ways”, seminal ideas on streamlining any production process. These ideas are fast flow, feedback and organizational learning. This view of DevOps focuses on its transformative powers, not just the automation of a CI/CD pipeline and attainment of record deployments per day.

I believe this transformative message is applicable to the security program at any organization, large or small. The first step is to transform your program to align with the Dev and Ops group. The real opportunity is to then use DevOps principles to more effectively align your security program with your business customers. Spring is just around the corner.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.