Does DevOps hurt or help security?

There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can't keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside.

Early proponents of DevOps always have argued that when done right, DevOps can actually improve security. When it comes to the positive impact of DevOps on security efforts, Justin Arbuckle, vice president, EMEA, and chief enterprise architect at Chef, doesn't mince words. Arbuckle also was formerly chief architect at GE Capital, where he was a big proponent of Agile and continuous delivery approaches to software development.

[ ALSO: Defending DevOps ]

Arbuckle says that many, if not most, organizations today simply are not developing resilient software or infrastructure or even maintaining regulatory compliance -- and that they never will be able to actually automate as much of the software security and regulatory compliance checks as they can without moving toward DevOps.

"I think a lot of what we think of as being compliant today is a complete myth," says Arbuckle, who contends that there are so many security and regulatory compliance checks that large enterprises typically have to check that they just can't keep up. "They have to trade off between 'It's good enough, we're ready to go' and 'We're not going to go anywhere until we've literally crossed every T and dotted every I,'" Arbuckle said in a recent interview.

Arbuckle is even more uncertain of current enterprise claims when it comes to managing their security risk posture. "I think the number of organizations that can count fully detailed, fully implementable -- and that's the key word, 'implementable' -- security policy by their infrastructure people on one hand," he says.

According to Arbuckle, security teams trying to keep up with security threats have to learn and respond as they go, and the result is that security policy tends to lag the threat. "The only way for the organization to catch it is through this process of documentation, policy, and checks. And through it all, they know that the standard is nonsense because it's out of date by definition. So they have to create a point-in-time review, which brings velocity to a halt," says Arbuckle.

DevOps naysayers contend, however, that DevOps also risks automating the wrong processes, or poor metrics move the organization away from measuring actual security and compliance risks to only measuring those risks and threats that they can easily measure, thereby creating a false sense of security that itself can be dangerous.

Andrew Storms, vice president of security services at consultancy New Context, says that while some concerns about moving too fast to DevOps are valid, many of them come from a place of fear. "Much of it really is rooted in fear. They see that the organization has brought together the developer and the operations team and they fear that everything will become the Wild West," Storms says. "However, we've shown over and over through the years that bringing these teams together actually has huge positive impact."

In speaking about How Security Can Be the Next Force Multiplier in DevOps at the RSA Conference in San Francisco earlier this month, Storms argued that DevOps is proving itself to be a way to enhance security efforts.

While security processes tests always should be an integral part of DevOps workflow, that isn't a reality for many organizations. They've always struggled to properly integrate security, and those challenges certainly persist through transitions to DevOps. But Storms says that DevOps provides an opportunity to more tightly couple security into the workflow. "One of the best ways to bring DevOps and security together is to utilize the tools and the processes that DevOps really excels at and apply them to security," he says -- "things like automation, orchestration, and instrumentation. Let's use those tools to build these closed-loop security systems where everything's automated and everything's predictable. That's a way we actually can fulfill the security requirements in an automated fashion with fewer resources."

One success story that Storms cites is a healthcare company in the Northeast. "It has had serious compliance and security requirements so it performs continuous deployment. The company has extensively automated its security and compliance tests and the auditors are happy," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityChefsecurityGE CapitalDevopsCapita

More about AgileGERSAWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place