DevOps has been breaking down business siloes and improving efficiency, but it’s time those principles were brought to cybersecurity initiatives, according to Palo Alto Networks.
DevOps relies on the idea that teams should automate the tasks involved in deploying, securing, maintaining, and phasing out the processes that IT and security teams have done manually in the past. This lets DevOps teams to deliver applications and support services faster.
DevSecOps is about making security principles integral to the DevOps process. According to Sean Duca, Palo Alto Networks VP and regional chief security officer for Asia Pacific, DevSecOps provides opportunity for organisations that are migrating to the cloud.
“Developers are writing new code anyway; they should completely rethink and modernise their approach. Developers should no longer be deploying code and installing fixes the way they did when the internet was young,” Duca says.
“They need a new approach that seamlessly integrates developers, the operational team, and the security team. It’s not just about building an app in the cloud, it’s about building security in from the very beginning.”
Organistions that include information security as part of their existing DevOps ideology may be able to build more sustainable and effective security teams – all team members could even be viewed as site reliability engineers (SREs).
“To maximise the efficiency, effectiveness, and security of the organisation’s overall operations, businesses need to eliminate separate teams for development, operations, and information security. Instead, they need tighter integration among all these teams, often held together by the SRE,” Duca explains.
“The SRE combines the skills of developers responsible for writing applications with the skills operations engineers use to deploy those applications. SREs help scale operations through automation. Organisations that embrace this role and the DevSecOps model will outperform their competitors that don’t.”
Palo Alto believes this approach is important while businesses transfer workloads to the cloud. Organisations that understand they are responsible for their own data in the cloud will be more likely to drive adoption of the DevSecOps model.
This is because they will move through three stages of cloud security: click (adding security when servers are added); command (scripting); and committing to changes as part of codes.
“Security should natively work within the code. Businesses should understand the risks they face and the ways their network could be brought down, then integrate security into every single application,” Duca says.
“DevSecOps is the best approach to give organisations the five key requirements for success: visibility and control; segmented applications; threat prevention; process automation; and central management.”