Done properly, she believes DevOps should always include security, but ironically, the reason they don’t is part of the problem DevOps sets out to solve.
“I think the reason many companies start DevOps and forget the security folks, is that it's yet another cultural divide,” says DeMartine. “Security people speak a totally different language – breaches, incidents, vulnerabilities and exposures – and everyone puts them at the very end of the development lifecycle, if they’re remembered at all.”
Building compliance and security checklists into the DevOps process stops the security review becoming a bottleneck at the end of the CD pipeline, as well as raising overall quality.
Security teams need “a total mind-shift” to make this work, DeMartine warns. “It’s like the fear of operations that ‘you’re going to make all those changes and you are going to break my environment that’s stuck together with chewing gum and duct tape.’ They have to overcome that fear like operations did. It’s going to be uncomfortable for them, but they’ll get benefits at the end.”
Examples from developers and operations teams of what DevOps has already improved will help that mind-shift, but Bittner cautions, “When we ask a lot of developer teams who have effective continuous integration practices how they engage with their security counterparts, they say they're not ready to have that conversation yet.”
This is ultimately part of the culture change that has to happen as part of DevOps. “The way we're all working today isn't working; it’s not the most effective way.We've set up arbitrary boundaries in orgs between operations, development and security that shouldn't really exist,” says Bittner. “It’s about getting everyone to accept that other teams aren’t the enemy; they’re ultimately trying to do the same thing – they all want the customer to be successful and have good customer experiences.”
CIOs should be prepared for how difficult a change this can be, warns Microsoft’s Miller. “The CIO is going to take heat. This change is a tough one; if you're in the old world and you have custom systems and manual testing, there are going to be problems and you’ve got to be ready. It does demand a certain amount of courage to do CD properly; you might have to rethink your leadership. You certainly have to rethink your process, you have to rethink your expectation from delivery. It's not a trivial path but the payoff is ridiculous. If you’re not doing it, you're risking your business, is the way I look at it now.”
Or as Russinovich somewhat more bluntly puts it, “Devops is coming; it has to have security. Just deal with it.”
Sign up for CIO Asia eNewsletters.