SecureDevOps to Minimize Shadow IT Risks

Development Operations (DevOps) has emerged as one of the driving dynamics in digital transformation. The adoption of Continuous Integration and Continuous Deployment (CI/CD) for software release processes is at the core of DevOps adoption, which is essentially the collaboration between developers and Information Technology (IT) operations. The recent US$7.5 billion Microsoft acquisition of the open source platform GitHub is a testament to the importance of DevOps tools to enterprises. Over 27 million developers make use of the platform, as well as others, to build and contribute to 80+ million projects. Numerous enterprises are leveraging the platform to deliver new business value in the light of their digital transformation. DevOps tools like GitHub not only strive to facilitate and streamline software development, but they embrace automation to drive applications into production faster and aim to better manage them post-market. However, the notion of Development Security Operations (DevSecOps) is not maturing as fast as the DevOps market is, and often digital transformation is not secure transformation. There is little doubt that digital transformation creates new security risks, and shadow IT is growing in parallel to DevOps’ coming of age.

While testing and deployment are part of DevOps processes, the missing piece is still security. In large part, many developers are keen to implement their enterprise digital transformation by leveraging the increasing availability of tools such as GitHub, GitLab, Docker, Kubernetes, Puppet, Chef, Jenkins, and Ansible among many others. However, they are often engaging with such tools without fully informing or collaborating with the IT department. Traditionally, both groups have worked in relatively separate silos, and while DevOps aims to bring both together, there is a lingering divide that is hard to breach. This creates a shadow IT problem that significantly increases the risks for enterprises, whether they are startups or entrenched players.

DevSecOps is the answer to minimizing these risks, but much like DevOps, it is an organizational process as much as it is a representative collection of tools and people. Security is a discipline and as such, it requires a combination of strategy and application. Ideally, it means the inclusion of security at inception, and the ability to follow through on it throughout development, and post-market. Currently, DevSecOps sits at the end of the development process, but there is a growing imperative to shift it to the left, at product inception. The potential costs incurred by enterprises due to insecure software development means that those costs saved during the DevOps processes simply do not stack up against the costs incurred when vulnerable software is exploited in the field.

For DevOps to become DevSecOps, a number of things need to change. First the mindset of those developers and IT operations engineers needs to shift in how they consider security. This is often down to enterprise culture, and enthusiasm in security adoption and education from the top level down can help significantly in viewing security not as a barrier to DevOps, but as an enabler. Second, there needs to be available tools that can help those stakeholders understand the security implications and implement the right features that suit their specific context. These tools need to be integrated in existing toolsets and workbenches and they need to streamline application development, not hinder it.

Methods such as threat intelligence, attack modeling, risk assessment, dynamic and static testing, and pen testing need to become intrinsic to the DevOps processes. Automation, orchestration, Artificial Intelligence (AI), and machine learning can help integrate and expedite many of these functions and security controls. They are as much a part of a secure digital transformation as DevOps is. The security industry is working hard toward enabling that, looking to integrate their existing arsenal of security tools and services into DevOps, but also by tackling newer areas such as container security, checking open source libraries for vulnerabilities, automating security checks in test frameworks, etc. DevSecOps need not be a prohibitive discipline to get into, but increasingly it will become critical if enterprises want to get the most out of their digital transformation.