Skip to content

How to Integrate Security into DevOps

Good DevOps practices ensure that the same code bundle can be deployed into multiple environments and environment-specific elements can be automatically injected from outside the code bundles themselves.” -Bernard Golden, Author and CEO of Navica

Golden describes just one example of how DevOps delivers significant improvements in development speed and agility. By increasing cooperation between IT engineers and developers, DevOps streamlines workflows across a software project. This has made DevOps a popular approach for many IT leaders.

However, with all of this increased speed it is easy to view security concerns as inhibitors to DevOps agility. After all, if your developers are nailing their deadlines and your IT engineers are creating rock-solid environments for your software, why would you want worries about security to slow down your incredible progress? As the CommitStrip below amusingly points out, security doesn’t seem like a major concern until something goes wrong. And then, it may be too late to stop the issue from bringing down the entire application or system.

SecDevOps means you don't make security an afterthought.
SecDevOps means you don’t make security an afterthought.

Question: When Should You Integrate Security into DevOps?

Answer: Yesterday.

Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering ‘DevSecOps.’” -Gartner 2016 report  

It is not enough to add on patchwork security protocols or systems just before deployment. Nor can you simply recruit a security expert to check your developers’ code as they work. To truly integrate security throughout your workflows, you need to ensure your developers are a transparent part of the security process. In short, stay true to the collaborative spirit of DevOps.

This is not easy. Modern security infrastructure has lagged in its ability to become “software defined” and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way. In addition, because developers often download and use open-source components and frameworks, modern applications are largely  “assembled,” rather than developed from scratch. This creates application security issues as many of these open-source additions are vulnerable to cyberattack.

SecDevOps Training, Tools, and Best Practices

So how can you stay true to the collaborative vision of DevOps as you weave security into your development processes? Information security architects should take the lead by adopting the following tactics to create a strategic SecDevOps approach:

  • Start with secure development and training. This does not mean you need to force your developers to become security experts or adapt an entirely new set of tools, but introducing the right secure practices can safeguard your software. For example, you should create deployment pipelines that allow for controlled code pushes into the production environment; by using Red/Black deployments, you can transition to the updated code running on the new infrastructure with zero impact to sessions, transactions, or the user experience. When scanning platforms, the Nessus product, from Tenable Security, can improve security without impacting your workflow.
  • Embrace the concept of people-centric security. Beyond training, this means empowering developers to take personal responsibility for security by encouraging a “trust and verify” mindset. Note that monitoring your systems is still important, but you need every team member to take ownership.
  • Require all information security platforms to expose full functionality via APIs for automatability. By automating regular code tests, you help ensure your software will be secure without demanding more effort from your team.
  • Use proven version control practices and tools for all application software and, equally as important, for all scripts, templates and blueprints used in DevOps environments. A GIT branching model is also helpful while writing code.
  • Adopt an immutable infrastructure mindset. Rather than focusing on maintaining and improving, your data center’s individual machine uptime, an immutable infrastructure relies on API-driven infrastructure-as-code. This improves flexibility by letting you lock down and change production systems via development.

Learn More about SecDevOps Training

This is only an introduction for how you can integrate a security mindset into your DevOps practices. If you’d like to learn more about best practices and tools to secure your applications and systems during development, contact our security team here at Atlantic BT. We know all of the ins and outs necessary to guide you to confidence and safety. 

With these best practices and more, you will be well on your way to delivering secure-by-design software that integrates effectively with your chosen platforms.

The Atlantic BT Manifesto

The Ultimate Guide To Planning A Complex Web Project


Atlantic BT's Insights

We’re sharing the latest concepts in tech, design, and software development. Learn more about our findings.

Questions & Answers

What is the best web development framework?
Many people commonly ask “what is a framework in web development?” Web development frameworks can easily be confused with web development tools, languages, or parts of the web development stack (like .NET, PHP, JavaScript, or Ruby).
Learn More about What is the best web development framework?
What is the best programming language for web development?
If there was one “best” programming language, then everything else would be obsolete. The reality is that there are so many different programming languages because there is no “best” language for any situation.
Learn More about What is the best programming language for web development?
How much does web development cost?
Web development can vary from a few hundred to millions of dollars depending on what is needed. You may simply need some changes to something that already exists, or you'd like to build a large or complex application.
Learn More about How much does web development cost?
What is the best way to become a web developer?
We get lots of questions from university students working on projects -- How do I get into web development? How long does it take to learn? How much do web developers make?
Learn More about What is the best way to become a web developer?
What is front end vs. back end development?
As web development evolved, it separated into logical specialization: front end web development and back end development. While back end development involves the server-side development, front end is the final rendering.
Learn More about What is front end vs. back end development?
What is full stack web development?
Full stack web development as a term evolved due to the separation of roles between front end and back end developers. A “full stack” developer is a developer that can work in both front end and back end technologies.
Learn More about What is full stack web development?
How can I improve the performance of my application?
There are several primary reasons that applications perform poorly, and in some cases it’s a combination of several. 1) Data latency: If your application is making calls to a data source (whether it’s an API or a direct call) and there is latency at the data provider, your application performance will suffer.
Learn More about How can I improve the performance of my application?