How to integrate security into a DevOps team

While the number of enterprises subscribing to cloud applications is increasing that doesn’t mean internal application development has gone away. Sometimes customization may be needed for a cloud application to meet business needs, and sometimes a custom application may have to be written.

Either way security is an essential element of any internal development. And while IT departments are increasingly adopting the collaborative software development and delivery process called DevOps, making sure the security team is integrated and not an afterthought is vital.

That’s reinforced by a survey of 300 U.S. IT pros and managers released Wednesday DigiCert, maker of identity and encryption solutions for enterprises: Eighty-eight per cent of respondents said integrating security with DevOPs is either somewhat or extremely important. The top two reasons they cited as driving this were to speed application development as well as security.

Just under half (49 percent) of the enterprises questioned had already integrated security into their DevOps teams, with an equal number actively working on completing that integration.

They admitted is wasn’t easy. “The top three challenges cited were that it takes too long, security teams resist the change and that it requires strong relationship skills to perform the integration,” says the report.

Interestingly, those who haven’t completed the move estimate the integration will take less than a year (seven to 11 months). But those who have completed the transition say it took an average of 1 to 2 years. Clearly some organizations are underestimating the effort.

Yet those who have done the integration say it’s worth it. Of those surveyed

  • 22 percent were more likely to report they are doing well with information security
  • 21 percent were more likely to report doing well meeting app delivery deadlines
  • 21 percent were more likely to report doing well lower app risk.

“Agility and security are not mutually exclusive, and integration requires a combination of technology improvements, and a cultural shift in how technical staff is aligned,” DigiCert CSO Jason Sabin said in a statement. “The DevOps methodology is not just a method for increasing speed, but about improving efficiency, quality control and predictability in development outcomes. The right integration of security staff and technology, including digital certificates, can improve organizational metrics, avoid costly delays and improve the end-user experience.”

The report makes four recommendations to CIOs looking to integrate security into DevOps teams to help balance development agility and information security:

  1. Appoint a social leader: Identify a champion to drive cultural change including defining IT, security, DevOps roles and integrating teams;
  2. Bring security to the table: Place a security lead on all DevOps initiatives and involve them from the beginning. Limit access, sign and encrypt everything within the network using automated PKI.
  3. Invest in automation: Automate baseline security practices within DevOps workflow, including: certificate management, patching, vulnerability scanning, static code analysis;
  4. Integrate and standardize: Implement controls on certificate management processes and integrate with server configuration and orchestration platforms to enable automated security behind the scenes.

Read the survey here

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now