How to use DevSecOps to smooth cloud deployment

A set of practices designed to bring security teams up to speed and leverage new ways to protect clouds

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

At the start of a DevOps cloud adoption project, there is usually some friction between security and development teams. It can take an enterprise months, even years, to fully integrate security teams into faster development cycles—time that enterprises cannot afford. The solution? DevSecOps, a set of practices designed to bring security teams up to speed and leverage new ways to protect clouds.

The good news is that enterprises are already building the tools and processes security teams need to succeed.  Here are five tips to help you integrate the DevOps and security teams:

1. Identify the challenge. When DevOps processes are limited to a single business unit or team, maintaining security practices is fairly simple. The problem comes when the entire security organization -- that has likely been exposed sporadically to DevOps -- is expected to develop new company-wide processes and standardize security methodologies.

Here’s what what typically happens when you apply old security processes to DevOps teams: The central security organization develops cloud-specific security documentation and inserts themselves at various stages of the sprint (often the testing phase). This involves manually ensuring that cloud resource configurations meet specifications.  And it takes weeks from identifying a new cloud security vulnerability to documenting the fix to deploying the fix, creating delays and slowing deployment.

It is easy to see that the culprit in this scenario is manual security work. When operations builds systems manually, they do manual network and configuration work, which has the potential for errors and therefore must be manually checked. When security teams identify a problem, they must manually document the solution which must be manually deployed, instance by instance, in your environment. This burns hours that security teams should be spending in more valuable efforts.

2. Expose security teams to DevOps early.  Once the security organization has identified the challenge -- or is already feeling the repercussions of slow security services -- the next step is education. Security teams need to be exposed to DevOps technologies and methodologies, which in turn leads to a period of learning about cloud development and deployment tools.

The light bulb goes off when security teams realize that DevOps tools -- like configuration management -- can actually be used to improve governance. In fact, before configuration management tools like Puppet and Chef were used to automate deployment pipelines, they were used by security professionals to implement and guarantee security configurations on servers. Witnessing the power of declarative configuration languages resonates with security professionals by providing new and exciting solutions to their daily tribulations.

3. Centralize the solution.  When security professionals see the power of DevOps to improve their daily workloads, resistance usually fades. At this stage, they begin to develop more mature practices around security-as-code.

What is security-as-code? Certain aspects of basic system security, like network configurations and access policies, can and should be modular, scripted templates that are available for reuse in a tool like AWS CloudFormation or Troposphere combined with a configuration management tool like Puppet, Chef, or Ansible. These tools allow security professionals to “hard code” best practices into every build rather than enforcing best practices post facto. Moving security testing and auditing closer to the code both increases the value of security professionals and decreases the cost of remediation.

4. Protect your security team’s time. Once your security team has worked together with operations to “bake” their security practices into templates, they no longer need to review every single new environment. That is because those templates are kept in a central repository, used on every single new environment, and changes or alterations must be checked out as a branch and submitted for approval. Security professionals only need to review changes to a single template, not review and test the thousands of instances created based on those templates.

The outcome? You have outlawed manual configuration work and significantly reduced the risk of an operations engineer can make a manual, uncounted error (like forgetting a critical security configuration). And in the meantime, you have refocused your security team on what matters and not on manual, repetitive, and unproductive work.

5. Break your own software.  After you build security-as-code, the final critical component of DevSecOps is to not trust it. No system -- even one with little human interaction and high governance -- is error-free. The only way to discover these flaws is continual testing.

Part of your central IT team must form a “red team” that tries to get access to your environment through both social engineering and brute force. This also helps security teams convince developers and engineers to take immediate action (because getting hacked is embarrassing for any DevOps team).

There is a reason DevSecOps is rising in popularity: it is the only well-defined methodology that addresses the security of the cloud in an enterprise DevOps setting. Whether this evolution takes place during cloud planning or after interaction between security and DevOps teams has already developed, it is a crucial step towards securing cloud resources.

Logicworks is a leading cloud automation and managed services provider with 22+ years of experience helping enterprises transform IT. As an AWS Premier Consulting Partner, Logicworks specializes in hybrid and managed AWS solutions for the healthcare, financial, legal and commerce industries. For more information visit:

Join the CSO newsletter!

Error: Please check your email address.

More about AWS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Jason McKay, SVP and Chief Technology Officer, Logicworks

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place