DevOps teams and security teams can often find themselves at odds with each other. On one hand, DevOps is associated with independence and rapid pace of innovation, which security teams view as a risk to compliance. Similarly, DevOps teams sometimes believe that the need to adhere to compliance regulations is a hindrance to agility and development. The truth, however, is that these two organizations can work harmoniously, with compliance and innovation in-sync with each other. When done properly, DevOps can ensure compliance by incorporating automated policy enforcement into the development process. How can security fit into DevOps without hindering software development?
A DevOps approach to software development can strengthen collaboration and increase the speed at which software is developed and deployed. DevOps is growing in popularity among organizations who want to quickly adapt and deliver on their customers' changing needs. In a DevOps environment, rather than waiting for the finished product to test for bugs, one working part of the application is tested and patched accordingly. This allows the team to fix potential issues before they become problems, while at the same time continuing to develop other parts of the application. Development and testing happens simultaneously, resulting in a faster-paced development process. While this sounds ideal to some, security teams are often quick to raise a red flag.
Because the DevOps principle is centered on innovation and rapid development, the belief is that security and compliance come as an afterthought, or worse, not at all – much to the dismay of security teams who are left to pick up the pieces. However, the agility that DevOps teams bring to the table can, in fact, help to simplify and ensure compliance.
The solution to the DevOps versus security challenge is automation. As an enterprise network evolves and becomes more complex, there's greater potential for human error and misconfigurations. In multi-vendor, large-scale networks, it's simply out of the scope of human ability to manage network changes error-free. Building in orchestration and automation tools into the DevOps process solves these challenges.
With automation tools, DevOps teams have the ability to test an application's security policy compliance, similar to any other piece of code in development, through an automated workflow. Software can be modified at the first sign of security risk or non-compliance. DevOps can continue to innovate and develop applications, and security teams can feel confident that those applications are fully compliant and free of vulnerabilities.
DevOps and security teams don't have to be at war with each other. DevOps can, in fact, be an enabler as opposed to a risk. Likewise, security doesn't have to slow down innovation. The right automation tools can deliver the best of both worlds – software innovation and compliance – working together to meet business objectives.