Research firm Gartner projects that DevOps, by next year, will move from a niche strategy to a mainstream strategy in place at roughly 25 percent of Global 2000 enterprises this year. This is a chance for enterprises to get security right, if they decide to do the right thing when it comes to information security.
Moving from niche to mainstream is a big deal. DevOps goes a long way to help enterprises clear out of lot of development waste and operational underbrush through increased automation, standardization, and collaboration. Ultimately, enterprises become more agile and responsive to market demands through DevOps.
Along with the acceleration of DevOps acceptance, Gartner predicts that revenue from DevOps toolsets (which it defines as tools purpose-built to support the DevOps philosophy, such as continuous delivery, continuous improvement, infrastructure and configuration as code) and other such toolsets will increase 21.1 percent over the next year, reaching sales of $2.3 billion this year, up from $1.9 billion in 2014.
What does this mean for infosec? In a release, Gartner describes DevOps as a cultural shift that blends operations with development and “demands a linked toolchain of technologies to facilitate collaborative change.”
In that statement, Gartner analyst Laurie Wurster said, “The overall DevOps message is compelling, because many enterprise IT organizations want to achieve the scale-out and economies of scale achieved by world-class cloud providers. Nevertheless, there are still several gaps that prevent implementation of DevOps as a comprehensive methodology.”
The challenge is that culture and process change can be painfully slow in large organizations. That’s especially true when working with information security.
With DevOps, enterprises step away from many of the waterfall development approaches that they know so well, and enterprises lose those tremendously bulky build cycles where so many things can go wrong so close to, or even after, ship dates. This created enormous strain in developers and IT security managers as the pressure to remedy poorly secured code and latch on security controls came so late in the development process. Things that should have been done right are rushed, kicked out to a later date, or skipped altogether.
DevOps is an opportunity to automate a lot of those tests throughout development, and build security design and proper engineering into the entire development lifecycle. By automating security and regulatory compliance tests throughout development, security reaches a level that many security pros have been clamoring for years to attain – and that’s to have secure development processes built into the development lifecycle.
A little over a year ago I had the pleasure to interview Bill Burns, who had been director of information security at Netflix just before our talk. He said in the interview that DevOps is a way to build security into the design requirements and in the architecture and then for security to “participate in tighter feedback loops both with developers and with operations.”
He’s absolutely right; those tighter feedback loops enable security issues to be found closer to when and where those mistakes were made. And smaller builds mean problems are found more often and are less significant when they are found.
But that’s only if enterprises do it right. If they skimp on security processes and tests as they move toward DevOps, the flip side is that they automate more bad practices and more rapidly deploy shoddy code into production. Let’s hope more enterprises than not get it right.