If you think of DevOps as failing fast – as Facebook used to put it, “move fast and break things” – then you might also think of rapid releases, automation and continuous integration and deployment as giving you less time to find security problems. After all, you’re changing code, updating features and adding new capabilities more rapidly. That means more chances to introduce bugs or miss vulnerabilities.
With 2016 set to be the year DevOps goes mainstream – Gartner predicts 25 percent of Global 2000 businesses will be using DevOps techniques this year and HP Enterprise is even bolder, claiming that “within five years, DevOps will be the norm when it comes to software development.” Does that mean security problems waiting to happen?
Craig Miller, who’s helped move Microsoft’s Bing search engine to continuous deployment (the service now updates four or five times a day), doesn’t believe that’s necessarily true. “The classic response is faster means maybe lower quality or something might get through the process and I don’t think that's true at all,” says Miller. “CD, if you do it right, provides all the auditing you need to actually be confident in the software you push out. You have to make sure your software is high quality and I think security is a subset of quality.”
Forrester analyst Kurt Bittner agrees. “There’s a perception that with DevOps, speed is achieved by cutting corners and skipping important steps, that it’s uncontrolled,” says Bittner. “The exact opposite is true; it’s a very controlled, very structured environment. Doing DevOps right gives you higher quality, better visibility and speed, as opposed to achieving speed by cutting corners.”
That ought to be better for security, but only if continuous integration and continuous deployment are matched with continuous security and monitoring.
The key is the centralized, standardized delivery pipeline that’s a necessary, foundational piece for DevOps, says Bittner. “You get visibility into what's being built and you get the opportunity to inject various kinds of activities; which might be code scanning, or it might be peer reviews, various kinds of security related testing, control over the environment and having the correct settings.”
Testing is not optional
Miller is uncompromising about the importance of automating testing. “I think is the biggest failure for a lot of companies is that they allow failures in test. We have no tolerance at all for failures.” That might mean changing your tools as well as your development practices, he warns. “The Web security toolset we used was not very scalable; it was an app that somebody ran every week. We’re not going to accept a tool I have to have someone run for me. If it can’t be automated, I think there’s a problem with the design.”
Sign up for CIO Asia eNewsletters.