DevOps Methodologies for the Security Pro

Jonathan Trull, Chief Information Security Officer


DevOps, a combination of the words development and operations, is revolutionizing the way software is produced and managed.   Companies such as Etsy, Netflix, Amazon, Google, and Facebook have adopted and are embracing the DevOps methodologies and have become champions of the new approach.  DevOps proponents claim that it can improve the speed of product delivery while at the same time improving reliability and uptime.  So, what is DevOps?
DevOps is a software development method that stresses communication, collaboration, integration, automation and measurement between software developers and those with IT security jobs.  Although many discussing DevOps focus on the tools that support it, DevOps is really about culture; it’s a new way of doing the business of IT.  At its core, DevOps aims to breakdown the traditional silos that exist between developers and operations staff. 

For anyone who has worked in IT long enough, you know the significant animosity that often exists between these two groups.  Operations staff will tell you that developers typically produce bad code to meet pressing deadlines and then pass this code onto support without any help or documentation.  Developers, on the other hand, will complain that operations staff aren’t moving fast enough to meet their needs, prevent them from gaining access to production logs for troubleshooting, and don’t provide a stable production environment for their code.  In the end, these disagreements between two key groups typically lead to project delays, long software release cycles, and a break-fix mentality in which everyone is constantly in “firefighting” mode.

The overall goal of DevOps is to increase the speed of innovation and aims to help organizations rapidly produce software products and services and to improve operations performance.  This is often accomplished by automating the release cycle for software updates.  Now, instead of taking months to deploy software updates, companies embracing DevOps are pushing new code into production every few hours.  By doing this, DevOps methodologies typically result in:

  • Faster time to market
  • Lower failure rate of new releases
  • Shortened lead time between fixes
  • Faster mean time to recovery

You may be asking, why as a security professional do I need to know about DevOps?  Well, for starters, it is likely occurring in your organization or will be in the near future.  Based on a recent survey sponsored by Rackspace, 66 percent of U.S. companies reported already adopting DevOps practices and methodologies and 79 percent of companies who have not yet embraced DevOps plan to do so in 2015i.  Equally important is that DevOps methodologies fly in the face of some traditionally held security beliefs.  For example, security professionals traditionally say that developers should never have access to production systems.  However, in DevOps, developers are considered an integral part of the operations team and typically need access to support the software and respond to outages.  Finally, and most importantly, I believe that DevOps presents an opportunity for significant security gains and risk reduction for those practicing it.

This is the first in a series of blog posts about DevOps and the security gains that can be achieved with it.  In the next blog post, I will focus on configuration management and Puppet, one of the key tools supporting it. 

i http://servicevirtualization.com/profiles/blogs/devops-survey