DevOps: The Last Great Hope for Application Security?


April 8, 2014 By Derek Weeks

Once upon a time, there was a great battle between speed and security. Development wanted to go fast. But, security wanted to slow down and be safe.

“We must protect our gilded apps”, cried the application security team.

“Speed is cherished by our people”, declared the development team.

For years, they endured the pain of testing late in the lifecycle, sorting through reams of false positive reports, and dealing with the added cost of pushing bad software out the door. They knew there had to be a better way…

And then came, The DevOps Revolution. The DevOps team had an answer:

“Let’s bring Application Security and Development closer together — and shift their focus further to the left”.

The DevOps team knew that by introducing awareness of security vulnerabilities and policies early in and across the software development lifecycle — without creating a time-consuming tax on development — that both teams could win. The shift was made, and they lived happily ever after.

Want to learn more about DevOps and AppSec?

At the RSA Conference 2014, we gathered some of the top DevOps experts and influencers at an evening called Wining Not Whining and asked them “Why is application security so important to the DevOps revolution?”

Listen to what they had to say:

DevOps: The Last Great Hope for Application Security

Share these voices and yours with others in our global DevOps community.  Find the on-going conversation on twitter using the hashtag #DevOps. The full transcript is included below.

“In some respects, DevOps represents the last best hope for security.  We’re never gonna be successful bolting security on after the fact.  DevOps gives us the opportunity to build security holistically in to the development and operations process, and that’s the only way we’re ever gonna hope to be successful.” — Alan Shimel, DevOps.com

“When an organization is using DevOps principles, they can do deploys of hundreds, even thousands of deploys per day.  On the one hand you can view that as threatening to information security as a profession, but my colleagues and I, we all believe that this is the best opportunity for information security to become relevant and integrate ourselves into the daily work of development and operations.  So I urge you to seek out your DevOps kindred spirits in dev and ops and be part of a team that helps the organization win.” — Gene Kim, The Phoenix Project

“What I’ve observed, ’cause I’ve worked in just about all parts of the development lifecycle phase all the way through operations, is that usually what happens is the development organization throws a product over the wall.  The operations folks are left to their own devices to have to solve whatever anomalies, vulnerabilities, and defects ended up in the software before it went into operations.  And what we found in our research and what I’ve found in my own experience is if you can address security issues as early as the requirements phase of the software development lifecycle — and if you can address vulnerabilities and defects in the software while the software is going through requirements along with design and architecture development and testing — you can actually address a fairly significant percentage of the types of security issues that show up in operations today.” — Julia Allen, Carnegie Mellon’s CERT

The reason why DevOps is so important for security is because security is the kind of thing that needs to be baked into a product, just like quality, just like stability, just like availability.  These are all features that need to be invested in, and the best way to do that is to pull them forward in the lifecycle and make them equal citizens to the business features, the rest of the features that the business runs on.” — Damon Edwards, DTO Solutions

“Why is DevOps and security so important?  First, DevOps is really important ’cause it’s changing the way we build software.  And part of how we build software has to be including security, so together it’s just a natural fit on how to make systems and software and our jobs better.” — Nick Galbreath, Signal Sciences

“It’s very important for DevOps and security to work together to ensure consistently secure software is developed as quickly as possible and as error-free as possible.  Without the proper cooperation, you’ll be paying for it later.” — Andrew Wild, Qualys

“You have a major vulnerability that is turning into a security incident in operations, and it’s eating operation’s lunch.  It’s causing servers to go down, services to not be available, major asset issues, and you find out that it’s caused due to a systemic design flaw that could have been caught upstream.  As a result of that, and these are just kind of notional numbers, you reduce your cost by half; you reduce your development time by half; and you have a much more robust product going into operations.” – Julia Allen, Carnegie Mellon’s CERT