DevOps is one of the hottest trends in software development. It's all about helping businesses achieve Agile service delivery – that is, moving applications from development to test to deployment as quickly as possible.
Fast application deployment may seem at odds with robust security practices, which often take a go-slow approach to new or changed applications in order to verify that the applications are safe before letting them touch live data or business networks — or be exposed to the Internet or customers.
Fortunately, there's nothing inherently risky or dangerous about DevOps and Agile service delivery, as long as the right security policies are created and followed, and if automation eliminates unnecessary delay in ensuring compliance.
What's this "DevOps" thing?
DevOps, or Developer Operations, is a mashup of two trends, that of applying agile software development methodologies to administrative IT operations, and of improving the historically poor collaboration between developers and IT staff. The DevOps movement recognizes that we're past the era where developers work in one silo to write software and throw it over the wall to another silo where administrators manage the application. In the DevOps model, everyone works together for the complete software lifecycle, from conception to design, from coding to testing, from implementation to management, from enhancement to migration, and finally from replacement to decommissioning.
In practice, DevOps is frequently used to specifically refer to the operations side of applications management – in other words, everyone except the software architects, designers, programmers, and testers. That's how we'll use DevOps here, to refer to the non-developer functions of the application lifecycle, including security management.
Here's a good primer on DevOps: "3 keys to getting started with devops," by Brandon Butler. And here's a good riff on its challenges: "Why everyone hates DevOps," by Fredric Paul.
DevOps is often associated with the cloud, but it applies to non-cloud activities as well. Certainly, the rise of DevOps coincided with the popularity of cloud-based PaaS (Platform as a service) and IaaS (infrastructure as a service), because traditional IT teams were not required to manage development and deployment services on, say, Amazon Web Services or Microsoft Azure. However, there is nothing inherent in DevOps that can't apply to applications developed, tested, and deployed in a traditional data center.
Set up the environments
In the old days, everything was slow. Traditional app deployment processes were lengthy and process-driven. A human-driven security review before every release fit into those processes. By contrast, DevOps is an agile process with the goal of iterating software feature enhancements and builds quickly. Part of that agility comes from automating the deployment of those apps by development operations staff.
Do the security review during the dev process
Make sure that those environments are locked down tight – and that developers don't have the keys, even to their dev environment. If they want to give applications and servers access to resources, like those on-premises databases or cloud-based APIs, they need to document those requests and submit them for a security review. That means working with the enterprise data security team to document and validate APIs and URIs, local IP address and ports, and so-on.
Application deployment now doesn't need a security review
By definition, if the security review of network resources and pathways takes place during the development process, then it should be good for the deployment. This requires the IT security team to take the security review seriously, looking at everything: hacks coming in, data leakage coming out, compliance with HIPAA and PCI, and so on. Sure, that's not strictly necessary during dev, but if the security review is performed thoroughly the first time, it shouldn't need to be done a second time.
Four key steps to enabling secure DevOps
Developers want to code at the speed of light, and DevOps wants to support the rapid creation, testing, and deployment of code. It doesn't matter whether the dev, test, and deployment environments are in the cloud. The secret to securing agile service delivery with DevOps is to:
- Configure the dev, test, and deployment environments identically.
- Perform all vital connectivity security reviews during the development process.
- Make proactive changes to all three environments as needed.
- Make sure that only the IT security team can adjust network connectivity, VLAN and firewall.
Follow all those steps, and DevOps is fast, safe, and secure.
