Why DevOps Needs Security

DevOps done right must include an information security component. Countless surveys, studies and presentations continue to demonstrate the value of DevOps. I recognize that the road to DevOps for some organizations is tough. Dealing with cultural changes, new sets of tools and processes can easily overwhelm. However, failing to equally recognize the importance of security in a DevOps strategy is also a recipe for disaster.

Business Enablement

Each of us as an employee of a company have a common goal – to enable to business to meet its strategic objectives. As a Dev, Ops or Security professional, we need to understand how our role within the company fits into the company objectives. I argue that security is the responsibility of everyone. No matter how fast the velocity of a DevOps organization, if what they produce is not supportive of confidentiality, integrity and availability then they have failed. Including security in everything that you do is part of enabling the business to meet its strategic goals. Even DevOps needs security.

Use Security to Build Trust

Customers, partners and stakeholders want to know if they can trust the systems and software that a company produces and maintains. They ask the company, “Can I trust you with my valuable information whether it be intellectual property, personal information or other?”. Demonstrating security in everything you do is one method to build trust. Its important that a DevOps team show their security knowledge, process and tools even before the customer asks for proof. A few ways to demonstrate a sense of trust is by being transparent or meeting regulatory and compliance requirements. A combined solution of DevOps with security is a road to increased trust.

While these are only two reasons why DevOps needs security, they are important starting points for any upcoming or entrenched DevOps manager. Including the means to demonstrate to your customers and stakeholders why your systems are trustworthy and enable business objectives are critical. The practice of lean security helps ensure that one does not build within a vacuum and takes into account the larger strategic goals of a business as a whole

About the Author: Andrew Storms

Andrew Storms is the VP, Product of New Context, an innovator in data security for highly regulated industries. Andrew has over 20 years in IT security, developing products and solutions for utilities, the enterprise and government. He's a project lead for CES-21, a research initiative around automated cybersecurity threat detection and response within electrical utility operational networks, and a Certified Information Systems Security Professional (CISSP.) Andrew is a graduate of the FBI Citizens' Academy, a member of Infragard, and a member of the Open Standards Technical Committee for STIX,TAXII and OpenC2. His past roles include Senior Director of DevOps at CloudPassage and Director of Information, Technology & Security at nCircle.