SecDevOps — No agility without security

The concept of DevOps and agility is nothing new for most companies and developers circling the sun. The most well known frameworks (e.g. Scrum, XP etc.) are applied in many development teams and lead to a number of benefits for teams, companies and customers. Evidence shows that agile methods cause better performances in comparison to the outdated waterfall method. For many companies the outdated waterfall method is the largest contributor to project failure. Another problem with traditional step-by-step programming is that products do not exactly meet the demand of customers and need to be redesigned which takes time and costs money. Through DevOps, development teams work closely with the customer and need to adjust fewer things at the end of the project.

Concluding, we have put together four major benefits from using DevOps:

1. Adaptability: With shorter development cycles, software engineers have the possibility to make changes to the product at much later stages of the process than with traditional methods. And through continuous testing and verification, progress can be deployed earlier.
2. Collaboration: Through agile methods (e.g. Scrum) developers are forced to work together more closely since they report to the Scrum-Master and Product-Owner every 24 hours. This leads to lower communication barriers and better, more frequent knowledge exchange.
3. Transparency: In the waterfall-method, customers only get to see the product, once it’s finished. Through agile methods customers can engage in the process and share feedback after every new development cycle. Additionally the Scrum-Master has a higher knowledge of the project status since update meetings happen much more frequently.
4. Efficiency: DevOps enables development teams to figure out existing problems at a much earlier stage of the project since new feature are implemented shortly after their creation. Companies can save time and money that way. Additionally they create more value for the customers strengthening their competitive advantage in the long run.

…but, DevOps bears a risk:

The goal of DevOps is to create and integrate more features in a shorter period of time. The risk that comes with this agility is, that security testing of new versions is only applied at the end of the project or after major releases. Since testing takes time and resources, developers often do not write their own security tests for the software. That is why many companies release new versions of the software without prior security testing. Especially in the area of web applications, these untested versions become a prime target for hackers. This lack of continuity in security contributes to the 30,000 websites that are hacked every day.

Now the question arises: How can companies leverage the potential of DevOps while also creating secure software?

Trade Off between Security and Agility (?)

On the one hand, higher agility leads to higher speed of production and more features in a shorter period of time. However, this might lead to complexity — the enemy of security. On the other hand, security is necessary to protect a business but takes time to implement — which is the enemy of agility. So how are companies able to combine the two? We would like to share a few practices to consider, when integrating security and agility to create SecDevOps.

• Security shouldn’t be seen as an additional layer that is put upon DevOps after every deployment but rather as a continuous practice that needs to be thought of from the very beginning of every development cycle.
• Development teams need to reconsider existing processes and practices. Every application or tool needs to be thoroughly checked whether it has a negative impact on the companies security. Perhaps additional tools need to be implemented to monitor the security status of a project.
• In order to fully implement security into every corner of the company, Executives have to make sure that a “Security Culture” is lived in every department of the organization.
• As it is neither sufficient to solely think of security in the beginning or the end of a development cycle, developers need to have it in the back of their mind at every point in time. This can be quite exhausting if there are multiple projects to handle and the security needs to be checked manually. A simple solution is the implementation of an automated security testing tool. The Crashtest Security Suite offers an automated security scanner that continuously checks an application after every deployment to the test system. That way, developers can concentrate on creating the features that actually create business value.

Benefits from IT security

We have already shown, how companies can protect what they created using DevOps. Additionally to the support that comes with security there are a few aspects that are only possible through the integration of SecDevOps. Below, we have put together three major benefits from implementing IT security.

1. Enhanced Productivity: With an integrated security framework, developers are enabled to work more efficiently. Every iteration of the product is secured and there has to be no worry spend on security once the project is close to being finished. Additionally if the entire IT infrastructure is save, developers can work from anywhere with their own computer without a concern, that a single computer can lead to a hacking attack (e.g. by entering a public Wi-Fi).
2. Data Protection: After the employees, data is the most valuable asset for any company. Data is what leads to customer insights and higher business value. Losing access to business data (e.g. through a ransomware attack) can lead to decreasing productivity or even a freeze of the entire IT infrastructure (as with the example of Sony) and it might lead to direct costs since most companies decide to pay the ransom. A loss of customer data can be even worse since a lack of customer trust has a high impact on sales in the long run.
3. Cost savings: The benefits above already lead to (in-)direct cost savings. Additionally implementing IT security saves money since the cost of fixing a vulnerability is ten times higher, than the cost of securing the application in an earlier stage. As 2018 brought up the GDPR standards, companies also have to be compliant to the regulation in order to avoid high penalties and the public exposure of vulnerabilities that (probably) lead to decreasing sales.

If following the suggestions above companies can enhance productivity and business value by implementing SecDevOps. Read in our WhitePaper, how your company can quickly implement these other efficient security best practices!