What DevOps means for Software Security

In this post, I explore the landscape of security in a DevOps world, critique existing approaches like DevSecOps, and offer best practices for fitting security into a modern DevOps world.

Over the past few years, the rise of the DevOps movement has led to significant increase in developer productivity and accelerated the pace of software delivery. Automation plays a big role in modern DevOps-based software development. In fact, it is the automation in testing and deployment that has enabled companies to do multiple releases in a day compared to the old times where releasing once a week was considered agile development.

DevOps combines elements from multiple disciplines of engineering, QA and operations to define a new paradigm to build software. What does it mean for software security? Unfortunately most people don’t have a clue and are still trying to shoehorn old security practices into the new DevOps model and coming up with cute sounding names like DevSecOps which are ill-defined and vague. Some more enlightened folks are trying to come up with big bang frameworks (similar to the SDLC of yesteryears) to incorporate security with DevOps. SDLC itself is fundamentally different from DevOps as it tries to incorporate a notion of security as gatekeeping between different phases of software development.