Skip to content
Article

How to Integrate Security into DevOps

Good DevOps practices ensure that the same code bundle can be deployed into multiple environments and environment-specific elements can be automatically injected from outside the code bundles themselves.” -Bernard Golden, Author and CEO of Navica

Golden describes just one example of how DevOps delivers significant improvements in development speed and agility. By increasing cooperation between IT engineers and developers, DevOps streamlines workflows across a software project. This has made DevOps a popular approach for many IT leaders.

However, with all of this increased speed it is easy to view security concerns as inhibitors to DevOps agility. After all, if your developers are nailing their deadlines and your IT engineers are creating rock-solid environments for your software, why would you want worries about security to slow down your incredible progress? As the CommitStrip below amusingly points out, security doesn’t seem like a major concern until something goes wrong. And then, it may be too late to stop the issue from bringing down the entire application or system.

SecDevOps means you don't make security an afterthought.
SecDevOps means you don’t make security an afterthought.

Question: When Should You Integrate Security into DevOps?

Answer: Yesterday.

Information security architects must integrate security at multiple points into DevOps workflows in a collaborative way that is largely transparent to developers, and preserves the teamwork, agility and speed of DevOps and agile development environments, delivering ‘DevSecOps.’” -Gartner 2016 report  

It is not enough to add on patchwork security protocols or systems just before deployment. Nor can you simply recruit a security expert to check your developers’ code as they work. To truly integrate security throughout your workflows, you need to ensure your developers are a transparent part of the security process. In short, stay true to the collaborative spirit of DevOps.

This is not easy. Modern security infrastructure has lagged in its ability to become “software defined” and programmable, making it difficult to integrate security controls into DevOps-style workflows in an automated, transparent way. In addition, because developers often download and use open-source components and frameworks, modern applications are largely  “assembled,” rather than developed from scratch. This creates application security issues as many of these open-source additions are vulnerable to cyberattack.

SecDevOps Training, Tools, and Best Practices

So how can you stay true to the collaborative vision of DevOps as you weave security into your development processes? Information security architects should take the lead by adopting the following tactics to create a strategic SecDevOps approach:

  • Start with secure development and training. This does not mean you need to force your developers to become security experts or adapt an entirely new set of tools, but introducing the right secure practices can safeguard your software. For example, you should create deployment pipelines that allow for controlled code pushes into the production environment; by using Red/Black deployments, you can transition to the updated code running on the new infrastructure with zero impact to sessions, transactions, or the user experience. When scanning platforms, the Nessus product, from Tenable Security, can improve security without impacting your workflow.
  • Embrace the concept of people-centric security. Beyond training, this means empowering developers to take personal responsibility for security by encouraging a “trust and verify” mindset. Note that monitoring your systems is still important, but you need every team member to take ownership.
  • Require all information security platforms to expose full functionality via APIs for automatability. By automating regular code tests, you help ensure your software will be secure without demanding more effort from your team.
  • Use proven version control practices and tools for all application software and, equally as important, for all scripts, templates and blueprints used in DevOps environments. A GIT branching model is also helpful while writing code.
  • Adopt an immutable infrastructure mindset. Rather than focusing on maintaining and improving, your data center’s individual machine uptime, an immutable infrastructure relies on API-driven infrastructure-as-code. This improves flexibility by letting you lock down and change production systems via development.

Learn More about SecDevOps Training

This is only an introduction for how you can integrate a security mindset into your DevOps practices. If you’d like to learn more about best practices and tools to secure your applications and systems during development, contact our security team here at Atlantic BT. We know all of the ins and outs necessary to guide you to confidence and safety. 

With these best practices and more, you will be well on your way to delivering secure-by-design software that integrates effectively with your chosen platforms.

The Atlantic BT Manifesto

The Ultimate Guide To Planning A Complex Web Project

Insights

Atlantic BT's Insights

We’re sharing the latest concepts in tech, design, and software development. Learn more about our findings.

Questions & Answers

How much does custom eCommerce cost?

A custom eCommerce store could cost anywhere from $12,000/year to millions. Variable factors include the amount of custom features, the complexity of design, setup investments, training, and maintenance. Check out how to determine the cost of a custom eCommerce store.

Learn More about How much does custom eCommerce cost?
What is the best web development framework?
Many people commonly ask “what is a framework in web development?” Web development frameworks can easily be confused with web development tools, languages, or parts of the web development stack (like .NET, PHP, JavaScript, or Ruby).
Learn More about What is the best web development framework?
What is the best programming language for web development?
If there was one “best” programming language, then everything else would be obsolete. The reality is that there are so many different programming languages because there is no “best” language for any situation.
Learn More about What is the best programming language for web development?
How much does web development cost?
Web development can vary from a few hundred to millions of dollars depending on what is needed. You may simply need some changes to something that already exists, or you'd like to build a large or complex application.
Learn More about How much does web development cost?
What is web design and development?
People often lump web design and development together, so what's the difference? As the Internet has evolved, the skills required to produce a high quality website or web application have changed.
Learn More about What is web design and development?
What is JavaScript used for in web development?
Historically speaking, JavaScript was only commonly but sparingly used in web development. The multiple browsers in use at the time each supported different versions of JavaScript and were slow to render more complex Javascript.
Learn More about What is JavaScript used for in web development?
What is React web development?
React is a popular JavaScript library. It is primarily used for building interactive user interfaces (UI).
Learn More about What is React web development?