Agile security is essential to any business developing software, but the opinions over how and when security should be integrated into the DevOps cycle vary greatly. Of course, it’s always a good idea to bake security into your plans from the start rather than bolting it on at the end, but there are often barriers to doing so depending on the cohesion between the DevOps and Security teams.
In a CloudPassage survey from the 2016 RSA conference, 58 percent of respondents said their company brings in security during the design stage of the product lifecycle, but only 50 percent of respondents believe that security is capable of keeping pace with accelerated release cycles. The key difficulties in employing security in the DevOps cycle include inflexible security tools, a lack of understanding as to where cloud vendors’ concerns end, in regards to the Shared Responsibility model, and the worry that security teams will slow the DevOps process.
Despite these concerns, in order to ensure secure and timely deployments, it is essential to integrate security into the DevOps cycle as early as possible. One of the biggest obstacles security organizations currently face is a lack of available talent to execute security integration. Few experienced engineers outside of independent software companies have had the opportunity to observe the benefits of early security integration in a product lifecycle. As a result, few DevOps teams have a detailed understanding of the “why” behind security best practices. More education is necessary in order to equip engineers with the necessary tools for proper security integration.
As businesses continue to emphasize continuous testing, DevOps teams will increasingly find they have no choice but to identify and fix security concerns early and often, regardless of their talent’s experience level. This practice will not only solve existing bugs, but help security professionals recognize future sources of potential problems — granting visibility into a product’s overall security posture and boosting understanding of the benefits of integrating security early in the design stage.
The practice of early security integration is not just a nice idea in theory. Those who put it into practice will reap tangible benefits. Nearly all DevOps teams agree that continuous software development is no longer an option, but a requirement of doing business. Continuous security testing gives teams an opportunity to fail fast while learning and adapting quickly. Recognizing a problem early in the development cycle allows organizations to contain and repair a tiny issue on the go, rather than being forced to halt the entire operation in order to fix a big issue later. This accelerates a product’s evolution, as well as its stability and usability. Every engineer understands that there will always be bugs, but continuous testing leads to continuous improvement.