Jul 01, 2016 By Sarah Vonnegut
Faster, predictable releases, lower development costs, and a market constantly demanding new features and products have made the ecosystem ripe for the emergence of a new way of developing software. The development world responded to those demands, bringing the DevOps movement from unknown into the mainstream. Multiple releases a day would have been unheard of 10 to 15 years ago. Today it’s the norm.
DevOps is changing the way businesses develop apps. Puppet just released its latest State of DevOps report, and the improvements made through DevOps processes is clear. The report finds that the most successful DevOps organizations deploy 200 times more often, recover 24 times faster, and have 2,555 times faster lead times than low performers. High performers also spend 22% less time on unplanned activities and going back to fix mistakes.
Perhaps more important, though, is the survey’s findings on security: The high-performing organizations spend 50% less time fixing security issues, with security testing and secure coding practices built into the organization and SDLC.
The numbers have made it crystal clear: DevOps, and shifting security to the left, transforms organizations into high-performing, well-secured powerhouses.
CAMS: Culture, Automation, Measurement, and Sharing for DevOps and Security Success
DevOps is a process for the development and testing of software that breaks down old, segmented processes in favor of combined efforts towards the common goal of deploying quality software. The term ‘DevOps’ can be a bit elusive to newbies, though.
To help break it down, Damon Edwards and John Willis coined the term CAMSto describe the core values of DevOps; The acronym stands for Culture, Automation, Measurement, and Sharing. The term is a great way to break down a hard-to-describe term in four distinct characteristics – those words – Culture, Automation, Measurement, and Sharing – they mean something to us. More than that, CAMS can help security professionals better understand DevOps and how to fit security in.
Let’s break down CAMS into what it means for DevOps – and what it means for combining DevOps and Security.
Culture
When we hear people discuss DevOps, it’s usually littered with buzzwords like continuous delivery, continuous integration and automation. And while CI/CD and automation are major parts of the DevOps movement, there’s a bigger piece of the puzzle that we don’t hear about often enough: the DevOps culture, and what it means for security.
In reality, DevOps is about the culture more than the tools. The DevOps movement is built on breaking down the silos in the organization, giving teams more responsibility over each project, instead of just their one role. The culture accepts and supports teams working together to fix broken processes, and rewards innovation.
When it comes to DevOps and security, the only way to survive is to join the movement. DevOps is bigger than security, when it comes to the numbers game. In most organizations, the number of security experts to developers is 1 to 10 or more. There’s no perfect ratio of security professionals to developers, of course, especially when developers are partially responsible for their own codes security, but it’s impossible to enforce outdated, slow security processes when the majority of the organization is moving much, much faster.
So, like it or not, DevOps and security must be a match made in heaven – if only for the sake of the survival of a security program amidst a wildly changing ecosystem. If you haven’t designed a plan for a DevOps change in your own organization, whether it’s evolved or not, is essential – you don’t want to fall behind before you’ve ever caught up. Getting management to understand the new risks DevOps brings to the board – and having a strong application security program to cover those risks – is the first essential part of joining DevOps and security together.
Once you have the backing of the board, the next step is fostering the relationship with development and operations teams, sitting in on their planning meetings and offering your advice on security considerations and how security processes can better fit into the SDLC.
Automation
Integrating security into the development lifecycle should be a cornerstone of any application security program, but that’s not always the case. When it comes to an organization working in DevOps mode, early integration of security testing and security bug tracking is a must. And to move at DevOps speed, automating security testing is the only way to succeed. Manual configurations and pen-testing just aren’t scalable at a reasonable price, and while secure code reviews are still important, they can’t be done 10 to 100 times a day on tiny bits of code.
It’s clear why automating security testing and integrating security solutions with developer tools is a key to a healthy application security program in a DevOps environment. Automation not only enables the business incentives like lightening-speed releases and better productivity; automation, per the DevOps dictionary, “is used not just to save time, but also prevent defects, create consistency, and enable self-service.”
Measurement
Measuring the quality of software has been a tough aspect of the SDLC to pin down. Analytics tools can offer up all the data in the world, but truly measuring how ‘good’ an application is is tricky ground. DevOps vastly improves visibility into the processes and development lifecycle, enabling anyone to know what’s going on at any point.
DevOps metrics are drawn mostly from the automated tools, derived into a central dashboard that makes visibility that much easier. Making sure security metrics are visible there is a key to the success of DevOps and Security. Ensure your tools track individual and overall security vulnerabilities introduced in a build, the time it takes to detect them, and the time it takes to remediate.
The Puppet survey results say it well: “By automating these activities, we can generate evidence on demand to demonstrate that our controls are operating effectively, whether to auditors, assessors, or anyone else working in our value stream.” Having a constant grasp on the security standing of a build, project, and the organization as a whole is essential for a true DevSecOps environment.
Sharing
Collaboration between teams is another DevOps essential, and the security team must be a part of the communication stream. Finding common ground on the challenges each team faces is a key to success, and by the security team listening to the pain points of the other teams and helping find ways to improve security processes, the rest of the organization will be more inclined to take more responsibility when it comes to application security. When people in the organization have a wider view than their own role – accomplished through sharing information, tools, practices, etc. – collective ownership will start to take over.