Achieving an ideal organizational network means seamless development, operations, and security. Knowing and achieving that, however, is a great challenge. A report showed that successfully securing software depends on how mature an organization’s DevOps is. This finding was echoed by the 2019 State of DevOps Report, which revealed that 22% of the organizations with the most sophisticated security integration also have the most mature DevOps teams.

While most DevOps team members believe they need to produce secure software, only a few developers take this to heart. The report also noted that developers, operations staff, and security experts understand that they need to work together, but may face some difficulties.

Issues Between DevOps and IT Security Teams

Differences in Processes

One of the main reasons why IT security staff have difficulty working with DevOps engineers is that they employ different processes to achieve their goals. A DevOps team aims to develop processes and applications at the quickest time possible. It must act fast so they can better address changes in the market, customer needs, and business goals. In fact, a DevOps team’s backbone is to create a continuous delivery (CD)/continuous integration (CI) pipeline.

The speed at which DevOps practitioners work often leaves security teams reactive and flat-footed. Developers process and modify a massive number of codes over limited time frames, usually in only hours and days. These outpace the speed at which security teams can keep up.

On the other hand, an IT security team’s primary goal is to integrate security early on in the process rather than retrofitting it later on. To achieve this, they have to slow down and dissect data with high accuracy. This misalignment can result in insecure code, misconfigurations, and other security weaknesses that attackers can exploit.

Segmentation of Responsibilities

The security team is often at odds with the DevOps team because the latter may resist security and testing. A DevOps team may even end up seeing security as a “hurdle” that pushes back its development process and timeline. It fails to see that applying retroactive security is more time-consuming.

Sources of Data

Often, the DevOps team relies on open-source and immature tools to help them develop their applications, and this exposes them to security threats and risks. Simple coding errors can lead to gaping security holes, which can result in noncompliance issues.

How Can Security Be Integrated into DevOps

The easiest remedy to make the DevOps and security teams work together is to incorporate security tools and strategies into the applications the former produces. This integration can be done in three ways:

Automation

To speed up processes, security teams can automate threat detection enabled by readily available APIs. Much like DevOps engineers use open-source and commercially available APIs to speed up their development process, security experts can follow their example. They can, for instance, enable automated domain reputation checking to make sure that anyone in their network won’t access unsafe sites. For that, they can integrate a domain reputation API into the programs the DevOps team produces so these would proactively block access to websites with a predefined reputation score.

Privileged Access Management

Limiting privilege access rights can help prevent attacks. In this case, security experts can opt to enable the DevOps team’s software to filter unauthorized IP addresses from gaining access to systems connected to and data stored within the network. The simple integration of an IP geolocation API into DevOps-created programs won’t take time while only allowing pre-identified IP addresses privileged access to network resources.

Security in Mind

DevOps staff members need to be reminded of the importance of building with security in mind. Recent reports say that applications can have an average of six open, serious vulnerabilities that can cause organizations grief. Those in DevOps surely don’t want to be blamed for contributing to the success of a cyber attack against their companies.

Also, DevOps staff may not have sufficient IT security know-how. With that in mind, they can be educated on and convinced to integrate threat detection platforms into the applications they create from the onset. Like most of the APIs they use, this should ensure some level of security without hampering their development process.

* * *

Integrating security into development and operation processes can help organizations operate at a much more productive rate as they can respond to market demands while ensuring their own and their customers’ safety against cyber attacks. That would only work, however, if their DevOps teams see security as a shared responsibility.