With the advent of “everything as a service” – enterprise infrastructure, integration and solution delivery cadence have all radically changed. The cloud revolution has meant that development operations are now agile, in continuous deployment, and leveraging automation to accelerate QA and change management. If security and compliance are to become native to the development process then they need to adopt a development operations (DevOps) cadence of sustained engineering that prioritize speed of delivery and automation of workflow. Alternatively, security operations (SecOps) and compliance have required a different focus than DevOps with priorities such as: policy management, monitoring, code inspection and risk mitigation. SecOps needs to anticipate risk and ensure controls are retroactively mitigating compliance and security risk. The inherent conflict comes from a traditional view that security review should come after software development as a final check but instead ends up becoming a fractious process of reconciling necessary controls into the release cycle. What I learned this week at the Atlassian Summit is that a new approach that gives risk and compliance an opportunity to integrate security earlier in the software development and deployment process is what is needed. As Guy Herbert, Head of Risk and Compliance at Atlassian calls this a journey that requires DevOps to bring along teams like risk, security and compliance into the shared responsibility of making the organization resilient to change. Bringing about the shared responsibility can be difficult since there is a natural tension between DevOps and SecOps, as they have different charters and cultures. DevOps can be seen as more of a do culture (Atlassian calls this a “do-ocracy”) and SecOps can be seen as a control culture and they are inherently in conflict.
To fulfill the promise of teaming for shared responsibility, DevOps and SecOps should align on three key objectives: collaboration, communication and integration.
Collaboration DevOps is a process for software development that emphasizes collaboration between an organization's operations, development, testing, and support teams. The focus is on reducing time to market and improving agility through rapid development and rollouts. However, before the process of development can begin you need to start with a plan. At the planning stage of development is where security and compliance can already be incorporated. Tugboat Logic’s Virtual Security Officer Platform enables an organization to build a system of record that can implement and orchestrate the SecOps portion of the development plan. Policies and controls can be widely disseminated across product and engineering teams to document the intention of controls, define their implementation and enable teams to collaborate with comments and feedback in one hub.
Equally vital is the need for security practitioners to be able to bridge the communication gap that exists between the security function and the rest of the dev organization. Compliance and security can be viewed pejoratively by other teams because people don't understand it or see their materiality to users’ lives. But this too can be changed.
For example, instead of talking about a breach or a vulnerability, it's better to talk about a security risk in terms of project delays and unplanned, unscheduled work. When speaking to operations teams, it's better to talk about availability and user privacy requirements as correlated with mean response time or system uptime rather than a data breach. "Organizations will see more ownership at the coalface of risk management and it will be teams, not lone geniuses solving problems," Herbert says. The teaming of DevOps and SecOps is the key to making security just another product requirement task and a natural business condition for the company. To succeed in a world that's moving at the speed of DevOps, security groups need to be able to articulate control requirements in both the language and tools that DevOps lives in, such as Jira and GitHub. Tugboat Logic enables information security principles to be extended from an IT control directly into a task or issue within Jira. Once DevOps has closed out an issue, the Tugboat Logic Virtual CISO Platform can update its status as “complete” and enable an auditor to verify implementation status.
Integration The high degree of automation and workflow tools in DevOps is often its most radical process departure for security practitioners. The critical success factor for integrating security and development operations is to make control implementation easy and clear for developers to follow. For example, if the team is working toward a SOC 2 security certification, then a clear control framework broken down into tasks and issues will ensure a smooth integration of security into the dev cycle. Tugboat Logic’s Security Certifications module is an example of how to define requirements for achieving readiness for a security certification with controls gap analysis and audit-ready verification status in one place. "The fact is that if you set the parameters right and the controls right, by automating you will actually have better security," notes Alan Shimel of Devops.com. "You have less human error, less drift," because everything is configured to specifications that have already been proven secure and approved by the business. Shimel continues: “When you combine code injection analysis tools and automated penetrating tests earlier in the development process, it makes it possible for organizations to identify and eliminate security issues at every step of the development process.”
Bringing it Together The truth is that automation and velocity in DevOps is fundamentally driving the business forward and security needs to automate as well. The key to tying together security and development operations is the orchestration and demystification of security and compliance for the entire dev team. If you make it easy and clear for developers to integrate security, you’ll have a more secure product and organization. Tugboat Logic provides you the necessary glue to connect the different worlds of DevOps and SecOps.